diff --git a/.github/scripts/Invoke-PolicyToBicep-China.ps1 b/.github/scripts/Invoke-PolicyToBicep-China.ps1 index 2c57e45eb..23de4545d 100644 --- a/.github/scripts/Invoke-PolicyToBicep-China.ps1 +++ b/.github/scripts/Invoke-PolicyToBicep-China.ps1 @@ -111,13 +111,13 @@ $policyDefCount = Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/po $policyDefCountString = $policyDefCount.Count Write-Information "====> Policy Set/Initiative Definitions Total: $policyDefCountString" -InformationAction Continue -# Policy Asssignments - no separate policy assignments for Azure China, reusing the same assignments as Azure global regions +# Policy Asssignments - separate policy assignments for Azure China due to different policy definitions - missing built-in policies, and features -Write-Information "====> Creating/Emptying '_policyAssignmentsBicepInput.txt'" -InformationAction Continue -Set-Content -Path "./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt" -Value $null -Encoding "utf8" +Write-Information "====> Creating/Emptying '_mc_policyAssignmentsBicepInput.txt'" -InformationAction Continue +Set-Content -Path "./infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt" -Value $null -Encoding "utf8" Write-Information "====> Looping Through Policy Assignments:" -InformationAction Continue -Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments" -Filter "*.json" | ForEach-Object { +Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments" -Filter "*.json" | ForEach-Object { $policyAssignment = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 $policyAssignmentName = $policyAssignment.name @@ -127,10 +127,10 @@ Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/assignments/l # Remove hyphens from Policy Assignment Name $policyAssignmentNameNoHyphens = $policyAssignmentName.replace("-","") - Write-Information "==> Adding '$policyAssignmentName' to '$PWD/_policyAssignmentsBicepInput.txt'" -InformationAction Continue - Add-Content -Path "./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionId: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/$fileName'))`r`n}`r`n" + Write-Information "==> Adding '$policyAssignmentName' to '$PWD/_mc_policyAssignmentsBicepInput.txt'" -InformationAction Continue + Add-Content -Path "./infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionID: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/$fileName'))`r`n}`r`n" } -$policyAssignmentCount = Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments" -Filter "*.json" | Measure-Object +$policyAssignmentCount = Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments" -Filter "*.json" | Measure-Object $policyAssignmentCountString = $policyAssignmentCount.Count -Write-Information "====> Policy Assignments Total: $policyAssignmentCountString" -InformationAction Continue \ No newline at end of file +Write-Information "====> Policy Assignments Total: $policyAssignmentCountString" -InformationAction Continue diff --git a/.github/workflows/update-policy-china.yml b/.github/workflows/update-policy-china.yml index 79a82386a..22ae2cc3d 100644 --- a/.github/workflows/update-policy-china.yml +++ b/.github/workflows/update-policy-china.yml @@ -88,7 +88,7 @@ jobs: run: | echo "Pushing changes to origin..." git add infra-as-code/bicep/modules/policy/definitions/lib/china - git add infra-as-code/bicep/modules/policy/assignments/lib + git add infra-as-code/bicep/modules/policy/assignments/lib/china git commit -m '${{ env.pr_title }}' git push origin ${{ env.branch_name }} working-directory: ${{ github.repository }} diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md index 8a17b51c3..c4b1c8bf3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md @@ -29,7 +29,7 @@ The module does not generate any outputs. > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. -> **Important:** If you decide to not use a DDoS Standard plan in your environment and therefore leave the parameter `parDdosProtectionPlanId` as an empty string (`''`) then the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. +> **Important:** If you decide to not use a DDoS Standard plan in your environment and therefore leave the parameter `parDdosProtectionPlanId` as an empty string (`''`) then the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. For deployment in Azure China, leave the parameter `parDdosProtectionPlanId` as an empty string (`''`) because the DDoS Protection feature is not available in Azure China. > > However, if you later do decide to deploy an DDoS Standard Plan, you will need to remember to come back and update the parameter `parDdosProtectionPlanId` with the resource ID of the DDoS Standard Plan to ensure the policy is applied to the relevant Management Groups. You can then use a policy [remediation task](https://docs.microsoft.com/azure/governance/policy/how-to/remediate-resources) to bring all non-compliant VNETs back into compliance, once a [compliance scan](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data#evaluation-triggers) has taken place. @@ -47,7 +47,7 @@ OR ```bash # For Azure China regions az deployment mg create \ - --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep \ + --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep \ --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json \ --location chinaeast2 \ --management-group-id alz @@ -67,7 +67,7 @@ OR ```powershell # For Azure China regions New-AzManagementGroupDeployment ` - -TemplateFile infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep ` + -TemplateFile infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep ` -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json ` -Location chinaeast2 ` -ManagementGroupId alz diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep new file mode 100644 index 000000000..92ea59635 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep @@ -0,0 +1,732 @@ +@description('Prefix for the management group hierarchy. DEFAULT VALUE = alz') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@description('The region where the Log Analytics Workspace & Automation Account are deployed. DEFAULT VALUE = chinaeast2') +param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'chinaeast2' + +@description('Log Analytics Workspace Resource ID. - DEFAULT VALUE: Empty String ') +param parLogAnalyticsWorkspaceResourceID string = '' + +@description('Number of days of log retention for Log Analytics Workspace. - DEFAULT VALUE: 365') +param parLogAnalyticsWorkspaceLogRetentionInDays string = '365' + +@description('Automation account name. - DEFAULT VALUE: alz-automation-account') +param parAutomationAccountName string = 'alz-automation-account' + +@description('An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.') +param parMsDefenderForCloudEmailSecurityContact string = 'security_contact@replace_me.com' + +@description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. Default: Empty String') +param parDdosProtectionPlanId string = '' + +@description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceID, '/')[8] + +var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceResourceID, '/')[4] + +// Customer Usage Attribution Id +var varCuaid = '98cef979-5a6b-403b-83c7-10c8f04ac9a2' + +// **Variables** +// Orchestration Module Variables +var varDeploymentNameWrappers = { + basePrefix: 'ALZBicep' + #disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + baseSuffixTenantAndManagementGroup: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}' +} + +var varModuleDeploymentNames = { + modPolicyAssignmentIntRootDeployMDFCConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDFCConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployASCMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResourceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVMMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVMSSMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyPublicIP: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyIPForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyPublicIP: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsEnableDDoSVNET: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeployAKSPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyPrivEscalationAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyPrivContainersAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsEnforceAKSHTTPS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsEnforceTLSSSL: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceTLSSSL-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeploySQLDBAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeploySQLThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeployPrivateDNSZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBPip: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBPip-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBSku: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBSku-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBVnet-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) +} + +// Policy Assignments Modules Variables + +var varPolicyAssignmentEnforceAKSHTTPS = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyIPForwarding = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) +} + +var varPolicyAssignmentDenyPrivContainersAKS = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyPrivEscalationAKS = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyPublicEndpoints = { + definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) +} + +var varPolicyAssignmentDenyPublicIP = { + definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) +} + +var varPolicyAssignmentDenyRDPFromInternet = { + definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) +} + +var varPolicyAssignmentDenyStoragehttp = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) +} + +var varPolicyAssignmentDenySubnetWithoutNsg = { + definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) +} + +var varPolicyAssignmentDeployAKSPolicy = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) +} + +var varPolicyAssignmentDeployASCMonitoring = { + definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) +} + +var varPolicyAssignmentDeployLogAnalytics = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) +} + +var varPolicyAssignmentDeployMDFCConfig = { + definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json')) +} + +var varPolicyAssignmentDeployResourceDiag = { + definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) +} + +var varPolicyAssignmentDeploySQLDBAuditing = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) +} + +var varPolicyAssignmentDeploySQLThreat = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) +} + +var varPolicyAssignmentDeployVMBackup = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) +} + +var varPolicyAssignmentDeployVMMonitoring = { + definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) +} + +var varPolicyAssignmentDeployVMSSMonitoring = { + definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) +} + +var varPolicyAssignmentEnableDDoSVNET = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) +} + +var varPolicyAssignmentEnforceTLSSSL = { + definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) +} + +// RBAC Role Definitions Variables - Used For Policy Assignments +var varRBACRoleDefinitionIDs = { + owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7' + aksContributor: 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' +} + +// Managment Groups Varaibles - Used For Policy Assignments +var varManagementGroupIDs = { + intRoot: parTopLevelManagementGroupPrefix + platform: '${parTopLevelManagementGroupPrefix}-platform' + platformManagement: '${parTopLevelManagementGroupPrefix}-platform-management' + platformConnectivity: '${parTopLevelManagementGroupPrefix}-platform-connectivity' + platformIdentity: '${parTopLevelManagementGroupPrefix}-platform-identity' + landingZones: '${parTopLevelManagementGroupPrefix}-landingzones' + landingZonesCorp: '${parTopLevelManagementGroupPrefix}-landingzones-corp' + landingZonesOnline: '${parTopLevelManagementGroupPrefix}-landingzones-online' + decommissioned: '${parTopLevelManagementGroupPrefix}-decommissioned' + sandbox: '${parTopLevelManagementGroupPrefix}-sandbox' +} + +var varTopLevelManagementGroupResourceID = '/providers/Microsoft.Management/managementGroups/${varManagementGroupIDs.intRoot}' + +// **Scope** +targetScope = 'managementGroup' + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +// Modules - Policy Assignments - Intermediate Root Management Group +// Module - Policy Assignment - Deploy-MDFC-Config +module modPolicyAssignmentIntRootDeployMDFCConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMDFCConfig + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDFCConfig.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeployMDFCConfig.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + emailSecurityContact: { + value: parMsDefenderForCloudEmailSecurityContact + } + ascExportResourceGroupLocation: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDFCConfig.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-ASC-Monitoring +module modPolicyAssignmentIntRootDeployASCMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + // dependsOn: [ + // modCustomPolicyDefinitions + // ] + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployASCMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployASCMonitoring.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeployASCMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// // Module - Policy Assignment - Deploy-Resource-Diag +module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Monitoring +module modPolicyAssignmentIntRootDeployVMMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVMMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics_1: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VMSS-Monitoring +module modPolicyAssignmentIntRootDeployVMSSMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVMSSMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics_1: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// // Modules - Policy Assignments - Connectivity Management Group +// Module - Policy Assignment - Enable-DDoS-VNET +module modPolicyAssignmentConnEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { + scope: managementGroup(varManagementGroupIDs.platformConnectivity) + name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDDoSVNET.definitionID + parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + ddosPlan: { + value: parDdosProtectionPlanId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.networkContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Identity Management Group +// Module - Policy Assignment - Deny-Public-IP +module modPolicyAssignmentIdentDenyPublicIP '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIP + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIP.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-RDP-From-Internet +module modPolicyAssignmentIdentDenyRDPFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRDPFromInternet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRDPFromInternet.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRDPFromInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Subnet-Without-Nsg +module modPolicyAssignmentIdentDenySubnetWithoutNSG '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNSG + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Backup +module modPolicyAssignmentIdentDeployVMBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVMBackup + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMBackup.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Management Management Group +// Module - Policy Assignment - Deploy-Log-Analytics +module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformManagement) + name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployLogAnalytics.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeployLogAnalytics.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + rgName: { + value: varLogAnalyticsWorkspaceResourceGroupName + } + workspaceName: { + value: varLogAnalyticsWorkspaceName + } + workspaceRegion: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + dataRetention: { + value: parLogAnalyticsWorkspaceLogRetentionInDays + } + automationAccountName: { + value: parAutomationAccountName + } + automationRegion: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Landing Zones Management Group +// Module - Policy Assignment - Deny-IP-Forwarding +module modPolicyAssignmentLZsDenyIPForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyIPForwarding + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyIPForwarding.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyIPForwarding.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyIPForwarding.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-RDP-From-Internet +module modPolicyAssignmentLZstDenyRDPFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyRDPFromInternet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRDPFromInternet.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRDPFromInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Subnet-Without-Nsg +module modPolicyAssignmentLZsDenySubnetWithoutNSG '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenySubnetWithoutNSG + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Backup +module modPolicyAssignmentLZsDeployVMBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployVMBackup + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMBackup.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enable-DDoS-VNET +module modPolicyAssignmentLZsEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsEnableDDoSVNET + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDDoSVNET.definitionID + parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + ddosPlan: { + value: parDdosProtectionPlanId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.networkContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Storage-http +module modPolicyAssignmentLZsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyStorageHttp + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyStoragehttp.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyStoragehttp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyStoragehttp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-AKS-Policy +module modPolicyAssignmentLZsDeployAKSPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployAKSPolicy + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.aksContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Priv-Escalation-AKS +module modPolicyAssignmentLZsDenyPrivEscalationAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPrivEscalationAKS + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivEscalationAKS.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Priv-Containers-AKS +module modPolicyAssignmentLZsDenyPrivContainersAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPrivContainersAKS + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivContainersAKS.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-AKS-HTTPS +module modPolicyAssignmentLZsEnforceAKSHTTPS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsEnforceAKSHTTPS + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAKSHTTPS.definitionID + parPolicyAssignmentName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-TLS-SSL +module modPolicyAssignmentLZsEnforceTLSSSL '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsEnforceTLSSSL + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceTLSSSL.definitionID + parPolicyAssignmentName: varPolicyAssignmentEnforceTLSSSL.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceTLSSSL.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-SQL-DB-Auditing +module modPolicyAssignmentLZsDeploySQLDBAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeploySQLDBAuditing + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySQLDBAuditing.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-SQL-Threat +module modPolicyAssignmentLZsDeploySQLThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeploySQLThreat + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySQLThreat.definitionID + parPolicyAssignmentName: varPolicyAssignmentDeploySQLThreat.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLThreat.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Corp Management Group +// Module - Policy Assignment - Deny-Public-Endpoints +module modPolicyAssignmentLZsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPublicEndpoints + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicEndpoints.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicEndpoints.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Public-IP +module modPolicyAssignmentLZsDenyPublicIP '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPublicIP + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIP.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt new file mode 100644 index 000000000..de0ba043a --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt @@ -0,0 +1,150 @@ +var varPolicyAssignmentDenyAppGWWithoutWAF = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json')) +} + +var varPolicyAssignmentEnforceAKSHTTPS = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyIPForwarding = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) +} + +var varPolicyAssignmentDenyPrivContainersAKS = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyPrivEscalationAKS = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyPublicEndpoints = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) +} + +var varPolicyAssignmentDenyPublicIP = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) +} + +var varPolicyAssignmentDenyRDPFromInternet = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) +} + +var varPolicyAssignmentDenyResourceLocations = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json')) +} + +var varPolicyAssignmentDenyResourceTypes = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json')) +} + +var varPolicyAssignmentDenyRSGLocations = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json')) +} + +var varPolicyAssignmentDenyStoragehttp = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) +} + +var varPolicyAssignmentDenySubnetWithoutNsg = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) +} + +var varPolicyAssignmentDenySubnetWithoutUdr = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json')) +} + +var varPolicyAssignmentDeployAKSPolicy = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) +} + +var varPolicyAssignmentDeployASCMonitoring = { + definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) +} + +var varPolicyAssignmentDeployLogAnalytics = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) +} + +var varPolicyAssignmentDeployLXArcMonitoring = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json')) +} + +var varPolicyAssignmentDeployMDFCConfig = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json')) +} + +var varPolicyAssignmentDeployPrivateDNSZones = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json')) +} + +var varPolicyAssignmentDeployResourceDiag = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) +} + +var varPolicyAssignmentDeploySQLDBAuditing = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) +} + +var varPolicyAssignmentDeploySQLSecurity = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json')) +} + +var varPolicyAssignmentDeploySQLThreat = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) +} + +var varPolicyAssignmentDeployVMBackup = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) +} + +var varPolicyAssignmentDeployVMMonitoring = { + definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) +} + +var varPolicyAssignmentDeployVMSSMonitoring = { + definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) +} + +var varPolicyAssignmentDeployWSArcMonitoring = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json')) +} + +var varPolicyAssignmentEnableDDoSVNET = { + definitionID: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) +} + +var varPolicyAssignmentEnforceTLSSSL = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + libDefinition: json(loadTextContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) +} + diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json new file mode 100644 index 000000000..51d876afc --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-AppGW-Without-WAF", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deny creation of App Gateway without WAF.", + "displayName": "Deny-AppGW-Without-WAF", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json new file mode 100644 index 000000000..bc0fa7bce --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Enforce-AKS-HTTPS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should be accessible only over HTTPS", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json new file mode 100644 index 000000000..4cae9a5ba --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-IP-Forwarding", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", + "displayName": "Network interfaces should disable IP forwarding", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json new file mode 100644 index 000000000..439b716c0 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Priv-Containers-AKS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes cluster should not allow privileged containers", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json new file mode 100644 index 000000000..5aeff9c94 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Priv-Escalation-AKS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should not allow container privilege escalation", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json new file mode 100644 index 000000000..54ff4c37d --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-Public-Endpoints", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", + "displayName": "Public network access should be disabled for PaaS services", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json new file mode 100644 index 000000000..d3cda6189 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Public-IP", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "displayName": "Deny the creation of public IP", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json new file mode 100644 index 000000000..b3218f79d --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-RDP-From-Internet", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "displayName": "RDP access from the Internet should be blocked", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json new file mode 100644 index 000000000..ef3f7cddc --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json @@ -0,0 +1,28 @@ +{ + "name": "Deny-Resource-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "displayName": "Limit allowed locations for Resources", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + }, + "listOfAllowedLocations": { + "value": [ + "uksouth", + "ukwest" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json new file mode 100644 index 000000000..83077e3f5 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Resource-Types", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the Resource Types to deny deployment by policy.", + "displayName": "Deny-Resource-Types", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json new file mode 100644 index 000000000..bb368ceb3 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-RSG-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed.", + "displayName": "Limit allowed locations for Resource Groups", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json new file mode 100644 index 000000000..7b7666cc7 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Storage-http", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "displayName": "Secure transfer to storage accounts should be enabled", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json new file mode 100644 index 000000000..1caa90b39 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Subnet-Without-Nsg", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "displayName": "Subnets should have a Network Security Group", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json new file mode 100644 index 000000000..609a19095 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Subnet-Without-Udr", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the creation of a subnet without a User-Defined Route to control traffic flow.", + "displayName": "Subnets should have a User-Defined Route", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json new file mode 100644 index 000000000..ce3dadeb7 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-AKS-Policy", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", + "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json new file mode 100644 index 000000000..65e82db1b --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-ASC-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Monitoring in Microsoft Defender for Cloud.", + "displayName": "Enable Monitoring in Microsoft Defender for Cloud", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json new file mode 100644 index 000000000..c01d4dd4d --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json @@ -0,0 +1,43 @@ +{ + "name": "Deploy-Log-Analytics", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-Log-Analytics.", + "displayName": "Deploy-Log-Analytics", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "workspaceName": { + "value": "${parTopLevelManagementGroupPrefix}-la" + }, + "automationAccountName": { + "value": "${parTopLevelManagementGroupPrefix}-automation" + }, + "workspaceRegion": { + "value": "${parDefaultRegion}" + }, + "automationRegion": { + "value": "${parDefaultRegion}" + }, + "dataRetention": { + "value": "30" + }, + "sku": { + "value": "pergb2018" + }, + "rgName": { + "value": "${parTopLevelManagementGroupPrefix}-mgmt" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json new file mode 100644 index 000000000..5694a3e3f --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-LX-Arc-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-Linux-Arc-Monitoring.", + "displayName": "Deploy-Linux-Arc-Monitoring", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json new file mode 100644 index 000000000..6e66a9cfb --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json @@ -0,0 +1,40 @@ +{ + "name": "Deploy-MDFC-Config", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy Microsoft Defender for Cloud configuration and Security Contacts", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "notScopes": [], + "parameters": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "law-alz" + }, + "ascExportResourceGroupName": { + "value": "asc-export-alz" + }, + "ascExportResourceGroupLocation": { + "value": "chinaeast2" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForSql": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json new file mode 100644 index 000000000..f2ac12f7e --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -0,0 +1,82 @@ +{ + "name": "Deploy-Private-DNS-Zones", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "azureFilePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.afs.azure.net" + }, + "azureWebPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.webpubsub.azure.com" + }, + "azureBatchPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.${parDefaultRegion}.batch.azure.com" + }, + "azureAppPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azconfig.io" + }, + "azureAsrPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}${parDefaultRegion}.privatelink.siterecovery.windowsazure.com" + }, + "azureIoTPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azure-devices-provisioning.net" + }, + "azureKeyVaultPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.vaultcore.azure.net" + }, + "azureSignalRPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.service.signalr.net" + }, + "azureAppServicesPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azurewebsites.net" + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.eventgrid.azure.net" + }, + "azureDiskAccessPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.blob.core.windows.net" + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.cognitiveservices.azure.com" + }, + "azureIotHubsPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azure-devices.net" + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.eventgrid.azure.net" + }, + "azureRedisCachePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.redis.cache.windows.net" + }, + "azureAcrPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azurecr.io" + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.servicebus.windows.net" + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.api.azureml.ms" + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.servicebus.windows.net" + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.search.windows.net" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json new file mode 100644 index 000000000..e441e2a55 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-Resource-Diag", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", + "displayName": "Deploy-Resource-Diag", + "notScopes": [], + "parameters": { + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json new file mode 100644 index 000000000..2ada69535 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SQL-DB-Auditing", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "displayName": "Auditing on SQL server should be enabled", + "notScopes": [], + "parameters": { + "effect": { + "value": "AuditIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json new file mode 100644 index 000000000..fb7ca3e43 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SQL-Security", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-SQL-Security.", + "displayName": "Deploy-SQL-Security", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json new file mode 100644 index 000000000..b290550f1 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SQL-Threat", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", + "displayName": "Deploy Threat Detection on SQL servers", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json new file mode 100644 index 000000000..fb2f29562 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VM-Backup", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "notScopes": [], + "parameters": { + "effect": { + "value": "deployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json new file mode 100644 index 000000000..738007b0b --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VM-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", + "displayName": "Enable Azure Monitor for VMs", + "notScopes": [], + "parameters": { + "logAnalytics_1": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json new file mode 100644 index 000000000..a6e144263 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VMSS-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", + "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", + "notScopes": [], + "parameters": { + "logAnalytics_1": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json new file mode 100644 index 000000000..5ee6284d2 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-WS-Arc-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", + "displayName": "Deploy-Windows-Arc-Monitoring", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json new file mode 100644 index 000000000..5463b8605 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Enable-DDoS-VNET", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "displayName": "Virtual networks should be protected by Azure DDoS Protection Standard", + "notScopes": [], + "parameters": { + "effect": { + "value": "Modify" + }, + "ddosPlan": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.Network/ddosProtectionPlans/${parTopLevelManagementGroupPrefix}-ddos" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json new file mode 100644 index 000000000..2b91e3b63 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-TLS-SSL", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index 89f1dd0e4..675682648 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -2,169 +2,169 @@ var varPolicyAssignmentDenyAppGWWithoutWAF = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json')) } - + var varPolicyAssignmentDenyDataBPip = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json')) } - + var varPolicyAssignmentDenyDataBSku = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json')) } - + var varPolicyAssignmentDenyDataBVnet = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json')) } - + var varPolicyAssignmentEnforceAKSHTTPS = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) } - + var varPolicyAssignmentDenyIPForwarding = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) } - + var varPolicyAssignmentDenyPrivContainersAKS = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) } - + var varPolicyAssignmentDenyPrivEscalationAKS = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) } - + var varPolicyAssignmentDenyPublicEndpoints = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) } - + var varPolicyAssignmentDenyPublicIP = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) } - + var varPolicyAssignmentDenyRDPFromInternet = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) } - + var varPolicyAssignmentDenyResourceLocations = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json')) } - + var varPolicyAssignmentDenyResourceTypes = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json')) } - + var varPolicyAssignmentDenyRSGLocations = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json')) } - + var varPolicyAssignmentDenyStoragehttp = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) } - + var varPolicyAssignmentDenySubnetWithoutNsg = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) } - + var varPolicyAssignmentDenySubnetWithoutUdr = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json')) } - + var varPolicyAssignmentDeployAKSPolicy = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) } - + var varPolicyAssignmentDeployASCMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployAzActivityLog = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json')) } - + var varPolicyAssignmentDeployLogAnalytics = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) } - + var varPolicyAssignmentDeployLXArcMonitoring = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployMDFCConfig = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json')) } - + var varPolicyAssignmentDeployPrivateDNSZones = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json')) } - + var varPolicyAssignmentDeployResourceDiag = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) } - + var varPolicyAssignmentDeploySQLDBAuditing = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) } - + var varPolicyAssignmentDeploySQLSecurity = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json')) } - + var varPolicyAssignmentDeploySQLThreat = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) } - + var varPolicyAssignmentDeployVMBackup = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) } - + var varPolicyAssignmentDeployVMMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployVMSSMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployWSArcMonitoring = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json')) } - + var varPolicyAssignmentEnableDDoSVNET = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) } - + var varPolicyAssignmentEnforceTLSSSL = { definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) } - + diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt index 4fd5b95bd..c0a411068 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt @@ -1,388 +1,396 @@ { - name: 'Append-AppService-httpsonly' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_appservice_httpsonly.json')) + name: 'Append-AppService-httpsonly' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_appservice_httpsonly.json')) } { - name: 'Append-AppService-latestTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_appservice_latesttls.json')) + name: 'Append-AppService-latestTLS' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_appservice_latesttls.json')) } { - name: 'Append-KV-SoftDelete' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_kv_softdelete.json')) + name: 'Append-KV-SoftDelete' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_kv_softdelete.json')) } { - name: 'Append-Redis-disableNonSslPort' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_redis_disablenonsslport.json')) + name: 'Append-Redis-disableNonSslPort' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_redis_disablenonsslport.json')) } { - name: 'Append-Redis-sslEnforcement' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_redis_sslenforcement.json')) + name: 'Append-Redis-sslEnforcement' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_redis_sslenforcement.json')) } { - name: 'Deny-AFSPaasPublicIP' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_afspaaspublicip.json')) + name: 'Deny-AFSPaasPublicIP' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_afspaaspublicip.json')) } { - name: 'Deny-AppGW-Without-WAF' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appgw_without_waf.json')) + name: 'Deny-AppGW-Without-WAF' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appgw_without_waf.json')) } { - name: 'Deny-AppServiceApiApp-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appserviceapiapp_http.json')) + name: 'Deny-AppServiceApiApp-http' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appserviceapiapp_http.json')) } { - name: 'Deny-AppServiceFunctionApp-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appservicefunctionapp_http.json')) + name: 'Deny-AppServiceFunctionApp-http' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appservicefunctionapp_http.json')) } { - name: 'Deny-AppServiceWebApp-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appservicewebapp_http.json')) + name: 'Deny-AppServiceWebApp-http' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appservicewebapp_http.json')) } { - name: 'Deny-KeyVaultPaasPublicIP' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_keyvaultpaaspublicip.json')) + name: 'Deny-KeyVaultPaasPublicIP' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_keyvaultpaaspublicip.json')) } { - name: 'Deny-MySql-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_mysql_http.json')) + name: 'Deny-MySql-http' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_mysql_http.json')) } { - name: 'Deny-PostgreSql-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_postgresql_http.json')) + name: 'Deny-PostgreSql-http' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_postgresql_http.json')) } { - name: 'Deny-Private-DNS-Zones' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_private_dns_zones.json')) + name: 'Deny-Private-DNS-Zones' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_private_dns_zones.json')) } { - name: 'Deny-PublicEndpoint-MariaDB' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_publicendpoint_mariadb.json')) + name: 'Deny-PublicEndpoint-MariaDB' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_publicendpoint_mariadb.json')) } { - name: 'Deny-PublicIP' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_publicip.json')) + name: 'Deny-PublicIP' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_publicip.json')) } { - name: 'Deny-RDP-From-Internet' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_rdp_from_internet.json')) + name: 'Deny-RDP-From-Internet' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_rdp_from_internet.json')) } { - name: 'Deny-Redis-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_redis_http.json')) + name: 'Deny-Redis-http' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_redis_http.json')) } { - name: 'Deny-Sql-minTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_sql_mintls.json')) + name: 'Deny-Sql-minTLS' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_sql_mintls.json')) } { - name: 'Deny-SqlMi-minTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_sqlmi_mintls.json')) + name: 'Deny-SqlMi-minTLS' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_sqlmi_mintls.json')) } { - name: 'Deny-Storage-minTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_storage_mintls.json')) + name: 'Deny-Storage-minTLS' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_storage_mintls.json')) } { - name: 'Deny-Subnet-Without-Nsg' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_nsg.json')) + name: 'Deny-Subnet-Without-Nsg' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_nsg.json')) } { - name: 'Deny-Subnet-Without-Udr' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_udr.json')) + name: 'Deny-Subnet-Without-Udr' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_udr.json')) } { - name: 'Deny-VNET-Peer-Cross-Sub' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peer_cross_sub.json')) + name: 'Deny-VNET-Peer-Cross-Sub' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peer_cross_sub.json')) } { - name: 'Deny-VNet-Peering' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering.json')) + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering_to_non_approved_vnets.json')) } { - name: 'Deploy-ActivityLogs-to-LA-workspace' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_activitylogs_to_la_workspace.json')) + name: 'Deny-VNet-Peering' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering.json')) } { - name: 'Deploy-ASC-SecurityContacts' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_asc_securitycontacts.json')) + name: 'Deploy-ActivityLogs-to-LA-workspace' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_activitylogs_to_la_workspace.json')) } { - name: 'Deploy-DDoSProtection' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_ddosprotection.json')) + name: 'Deploy-ASC-SecurityContacts' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_asc_securitycontacts.json')) } { - name: 'Deploy-Default-Udr' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_default_udr.json')) + name: 'Deploy-DDoSProtection' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_ddosprotection.json')) } { - name: 'Deploy-Diagnostics-AA' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_aa.json')) + name: 'Deploy-Default-Udr' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_default_udr.json')) } { - name: 'Deploy-Diagnostics-ACI' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_aci.json')) + name: 'Deploy-Diagnostics-AA' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_aa.json')) } { - name: 'Deploy-Diagnostics-ACR' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_acr.json')) + name: 'Deploy-Diagnostics-ACI' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_aci.json')) } { - name: 'Deploy-Diagnostics-AnalysisService' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_analysisservice.json')) + name: 'Deploy-Diagnostics-ACR' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_acr.json')) } { - name: 'Deploy-Diagnostics-ApiForFHIR' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apiforfhir.json')) + name: 'Deploy-Diagnostics-AnalysisService' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_analysisservice.json')) } { - name: 'Deploy-Diagnostics-APIMgmt' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apimgmt.json')) + name: 'Deploy-Diagnostics-ApiForFHIR' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apiforfhir.json')) } { - name: 'Deploy-Diagnostics-ApplicationGateway' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_applicationgateway.json')) + name: 'Deploy-Diagnostics-APIMgmt' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apimgmt.json')) } { - name: 'Deploy-Diagnostics-CDNEndpoints' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cdnendpoints.json')) + name: 'Deploy-Diagnostics-ApplicationGateway' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_applicationgateway.json')) } { - name: 'Deploy-Diagnostics-CognitiveServices' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cognitiveservices.json')) + name: 'Deploy-Diagnostics-Bastion' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_bastion.json')) } { - name: 'Deploy-Diagnostics-CosmosDB' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cosmosdb.json')) + name: 'Deploy-Diagnostics-CDNEndpoints' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cdnendpoints.json')) } { - name: 'Deploy-Diagnostics-Databricks' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_databricks.json')) + name: 'Deploy-Diagnostics-CognitiveServices' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cognitiveservices.json')) } { - name: 'Deploy-Diagnostics-DataExplorerCluster' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_dataexplorercluster.json')) + name: 'Deploy-Diagnostics-CosmosDB' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cosmosdb.json')) } { - name: 'Deploy-Diagnostics-DataFactory' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_datafactory.json')) + name: 'Deploy-Diagnostics-Databricks' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_databricks.json')) } { - name: 'Deploy-Diagnostics-DLAnalytics' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_dlanalytics.json')) + name: 'Deploy-Diagnostics-DataExplorerCluster' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_dataexplorercluster.json')) } { - name: 'Deploy-Diagnostics-EventGridSub' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridsub.json')) + name: 'Deploy-Diagnostics-DataFactory' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_datafactory.json')) } { - name: 'Deploy-Diagnostics-EventGridSystemTopic' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridsystemtopic.json')) + name: 'Deploy-Diagnostics-DLAnalytics' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_dlanalytics.json')) } { - name: 'Deploy-Diagnostics-EventGridTopic' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridtopic.json')) + name: 'Deploy-Diagnostics-EventGridSub' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridsub.json')) } { - name: 'Deploy-Diagnostics-ExpressRoute' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_expressroute.json')) + name: 'Deploy-Diagnostics-EventGridSystemTopic' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridsystemtopic.json')) } { - name: 'Deploy-Diagnostics-Firewall' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_firewall.json')) + name: 'Deploy-Diagnostics-EventGridTopic' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridtopic.json')) } { - name: 'Deploy-Diagnostics-FrontDoor' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_frontdoor.json')) + name: 'Deploy-Diagnostics-ExpressRoute' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_expressroute.json')) } { - name: 'Deploy-Diagnostics-Function' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_function.json')) + name: 'Deploy-Diagnostics-Firewall' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_firewall.json')) } { - name: 'Deploy-Diagnostics-HDInsight' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_hdinsight.json')) + name: 'Deploy-Diagnostics-FrontDoor' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_frontdoor.json')) } { - name: 'Deploy-Diagnostics-iotHub' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_iothub.json')) + name: 'Deploy-Diagnostics-Function' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_function.json')) } { - name: 'Deploy-Diagnostics-LoadBalancer' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_loadbalancer.json')) + name: 'Deploy-Diagnostics-HDInsight' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_hdinsight.json')) } { - name: 'Deploy-Diagnostics-LogicAppsISE' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_logicappsise.json')) + name: 'Deploy-Diagnostics-iotHub' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_iothub.json')) } { - name: 'Deploy-Diagnostics-MariaDB' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mariadb.json')) + name: 'Deploy-Diagnostics-LoadBalancer' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_loadbalancer.json')) } { - name: 'Deploy-Diagnostics-MediaService' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mediaservice.json')) + name: 'Deploy-Diagnostics-LogicAppsISE' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_logicappsise.json')) } { - name: 'Deploy-Diagnostics-MlWorkspace' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mlworkspace.json')) + name: 'Deploy-Diagnostics-MariaDB' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mariadb.json')) } { - name: 'Deploy-Diagnostics-MySQL' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mysql.json')) + name: 'Deploy-Diagnostics-MediaService' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mediaservice.json')) } { - name: 'Deploy-Diagnostics-NetworkSecurityGroups' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_networksecuritygroups.json')) + name: 'Deploy-Diagnostics-MlWorkspace' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mlworkspace.json')) } { - name: 'Deploy-Diagnostics-NIC' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_nic.json')) + name: 'Deploy-Diagnostics-MySQL' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mysql.json')) } { - name: 'Deploy-Diagnostics-PostgreSQL' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_postgresql.json')) + name: 'Deploy-Diagnostics-NetworkSecurityGroups' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_networksecuritygroups.json')) } { - name: 'Deploy-Diagnostics-PowerBIEmbedded' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_powerbiembedded.json')) + name: 'Deploy-Diagnostics-NIC' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_nic.json')) } { - name: 'Deploy-Diagnostics-RedisCache' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_rediscache.json')) + name: 'Deploy-Diagnostics-PostgreSQL' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_postgresql.json')) } { - name: 'Deploy-Diagnostics-Relay' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_relay.json')) + name: 'Deploy-Diagnostics-PowerBIEmbedded' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_powerbiembedded.json')) } { - name: 'Deploy-Diagnostics-SignalR' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_signalr.json')) + name: 'Deploy-Diagnostics-RedisCache' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_rediscache.json')) } { - name: 'Deploy-Diagnostics-SQLElasticPools' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_sqlelasticpools.json')) + name: 'Deploy-Diagnostics-Relay' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_relay.json')) } { - name: 'Deploy-Diagnostics-SQLMI' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_sqlmi.json')) + name: 'Deploy-Diagnostics-SignalR' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_signalr.json')) } { - name: 'Deploy-Diagnostics-TimeSeriesInsights' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_timeseriesinsights.json')) + name: 'Deploy-Diagnostics-SQLElasticPools' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_sqlelasticpools.json')) } { - name: 'Deploy-Diagnostics-TrafficManager' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_trafficmanager.json')) + name: 'Deploy-Diagnostics-SQLMI' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_sqlmi.json')) } { - name: 'Deploy-Diagnostics-VirtualNetwork' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_virtualnetwork.json')) + name: 'Deploy-Diagnostics-TimeSeriesInsights' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_timeseriesinsights.json')) } { - name: 'Deploy-Diagnostics-VM' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vm.json')) + name: 'Deploy-Diagnostics-TrafficManager' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_trafficmanager.json')) } { - name: 'Deploy-Diagnostics-VMSS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vmss.json')) + name: 'Deploy-Diagnostics-VirtualNetwork' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_virtualnetwork.json')) } { - name: 'Deploy-Diagnostics-VNetGW' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vnetgw.json')) + name: 'Deploy-Diagnostics-VM' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vm.json')) } { - name: 'Deploy-Diagnostics-WebServerFarm' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_webserverfarm.json')) + name: 'Deploy-Diagnostics-VMSS' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vmss.json')) } { - name: 'Deploy-Diagnostics-Website' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_website.json')) + name: 'Deploy-Diagnostics-VNetGW' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vnetgw.json')) } { - name: 'Deploy-Diagnostics-WVDAppGroup' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdappgroup.json')) + name: 'Deploy-Diagnostics-WebServerFarm' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_webserverfarm.json')) } { - name: 'Deploy-Diagnostics-WVDHostPools' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdhostpools.json')) + name: 'Deploy-Diagnostics-Website' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_website.json')) } { - name: 'Deploy-Diagnostics-WVDWorkspace' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdworkspace.json')) + name: 'Deploy-Diagnostics-WVDAppGroup' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdappgroup.json')) } { - name: 'Deploy-FirewallPolicy' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_firewallpolicy.json')) + name: 'Deploy-Diagnostics-WVDHostPools' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdhostpools.json')) } { - name: 'Deploy-MySQL-sslEnforcement' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_mysql_sslenforcement.json')) + name: 'Deploy-Diagnostics-WVDWorkspace' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdworkspace.json')) } { - name: 'Deploy-MySQLCMKEffect' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_mysqlcmkeffect.json')) + name: 'Deploy-FirewallPolicy' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_firewallpolicy.json')) } { - name: 'Deploy-Nsg-FlowLogs-to-LA' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_nsg_flowlogs_to_la.json')) + name: 'Deploy-MySQL-sslEnforcement' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_mysql_sslenforcement.json')) } { - name: 'Deploy-Nsg-FlowLogs' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_nsg_flowlogs.json')) + name: 'Deploy-MySQLCMKEffect' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_mysqlcmkeffect.json')) } { - name: 'Deploy-PostgreSQL-sslEnforcement' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_postgresql_sslenforcement.json')) + name: 'Deploy-Nsg-FlowLogs-to-LA' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_nsg_flowlogs_to_la.json')) } { - name: 'Deploy-PostgreSQLCMKEffect' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_postgresqlcmkeffect.json')) + name: 'Deploy-Nsg-FlowLogs' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_nsg_flowlogs.json')) } { - name: 'Deploy-Private-DNS-Azure-File-Sync' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_file_sync.json')) + name: 'Deploy-PostgreSQL-sslEnforcement' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_postgresql_sslenforcement.json')) } { - name: 'Deploy-Private-DNS-Azure-KeyVault' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_keyvault.json')) + name: 'Deploy-PostgreSQLCMKEffect' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_postgresqlcmkeffect.json')) } { - name: 'Deploy-Private-DNS-Azure-Web' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_web.json')) + name: 'Deploy-Private-DNS-Azure-File-Sync' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_file_sync.json')) } { - name: 'Deploy-Sql-AuditingSettings' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_auditingsettings.json')) + name: 'Deploy-Private-DNS-Azure-KeyVault' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_keyvault.json')) } { - name: 'Deploy-SQL-minTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_mintls.json')) + name: 'Deploy-Private-DNS-Azure-Web' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_web.json')) } { - name: 'Deploy-Sql-SecurityAlertPolicies' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_securityalertpolicies.json')) + name: 'Deploy-Sql-AuditingSettings' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_auditingsettings.json')) } { - name: 'Deploy-Sql-Tde' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_tde.json')) + name: 'Deploy-SQL-minTLS' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_mintls.json')) } { - name: 'Deploy-Sql-vulnerabilityAssessments' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_vulnerabilityassessments.json')) + name: 'Deploy-Sql-SecurityAlertPolicies' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_securityalertpolicies.json')) } { - name: 'Deploy-SqlMi-minTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sqlmi_mintls.json')) + name: 'Deploy-Sql-Tde' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_tde.json')) } { - name: 'Deploy-Storage-sslEnforcement' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_storage_sslenforcement.json')) + name: 'Deploy-Sql-vulnerabilityAssessments' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_vulnerabilityassessments.json')) } { - name: 'Deploy-VNET-HubSpoke' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_vnet_hubspoke.json')) + name: 'Deploy-SqlMi-minTLS' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sqlmi_mintls.json')) } { - name: 'Deploy-Windows-DomainJoin' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_windows_domainjoin.json')) + name: 'Deploy-Storage-sslEnforcement' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_storage_sslenforcement.json')) +} +{ + name: 'Deploy-VNET-HubSpoke' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_vnet_hubspoke.json')) +} +{ + name: 'Deploy-Windows-DomainJoin' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_windows_domainjoin.json')) } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_storage_mintls.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_storage_mintls.json index b4731c00e..1e813de5e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_storage_mintls.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_storage_mintls.json @@ -6,7 +6,7 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Storage Account set to minumum TLS and Secure transfer should be enabled", + "displayName": "Storage Account set to minimum TLS and Secure transfer should be enabled", "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", "metadata": { "version": "1.0.0", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_nsg.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_nsg.json index 877e82284..e88814c33 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_nsg.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_nsg.json @@ -7,9 +7,9 @@ "policyType": "Custom", "mode": "All", "displayName": "Subnets should have a Network Security Group", - "description": "This policy denies the creation of a subsnet with out an Network Security Group. NSG help to protect traffic across subnet-level.", + "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", "metadata": { - "version": "1.1.0", + "version": "2.0.0", "category": "Network" }, "parameters": { @@ -41,18 +41,48 @@ }, "policyRule": { "if": { - "allOf": [ + "anyOf": [ { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks/subnets" + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] }, { - "field": "name", - "notIn": "[parameters('excludedSubnets')]" - }, - { - "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", - "exists": "false" + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", + "exists": "false" + } + ] } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_udr.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_udr.json index a8d5977b5..3a3b57aaf 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_udr.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_udr.json @@ -7,9 +7,9 @@ "policyType": "Custom", "mode": "All", "displayName": "Subnets should have a User Defined Route", - "description": "This policy denies the creation of a subnet with out a User Defined Route.", + "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", "metadata": { - "version": "1.1.0", + "version": "2.0.0", "category": "Network" }, "parameters": { @@ -39,18 +39,48 @@ }, "policyRule": { "if": { - "allOf": [ + "anyOf": [ { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks/subnets" + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].routeTable.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] }, { - "field": "name", - "notIn": "[parameters('excludedSubnets')]" - }, - { - "field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id", - "exists": "false" + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id", + "exists": "false" + } + ] } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering_to_non_approved_vnets.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering_to_non_approved_vnets.json new file mode 100644 index 000000000..74c5ee0a2 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering_to_non_approved_vnets.json @@ -0,0 +1,82 @@ +{ + "name": "Deny-VNET-Peering-To-Non-Approved-VNETs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering to non-approved vNets", + "description": "This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "allowedVnets": { + "type": "Array", + "metadata": { + "displayName": "Allowed vNets to peer with", + "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" + }, + "defaultValue": [] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "exists": false + } + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apimgmt.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apimgmt.json index 821c6e98f..178561ff3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apimgmt.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apimgmt.json @@ -147,6 +147,10 @@ { "category": "GatewayLogs", "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "WebSocketConnectionLogs", + "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_bastion.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_bastion.json new file mode 100644 index 000000000..fd911f910 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_bastion.json @@ -0,0 +1,183 @@ +{ + "name": "Deploy-Diagnostics-Bastion", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/bastionHosts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "BastionAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_firewall.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_firewall.json index f9be154a5..f5e67eda7 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_firewall.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_firewall.json @@ -155,6 +155,46 @@ { "category": "AzureFirewallDnsProxy", "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWThreatIntel", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWIdpsSignature", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWDnsQuery", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFqdnResolveFailure", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRuleAggregation", + "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mlworkspace.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mlworkspace.json index 4a484cd00..866dedbf2 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mlworkspace.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mlworkspace.json @@ -9,7 +9,7 @@ "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Monitoring" }, "parameters": { @@ -134,39 +134,12 @@ "workspaceId": "[parameters('logAnalytics')]", "metrics": [ { - "category": "Run", + "category": "AllMetrics", "enabled": "[parameters('metricsEnabled')]", "retentionPolicy": { - "days": 0, - "enabled": false - }, - "timeGrain": null - }, - { - "category": "Model", - "enabled": "[parameters('metricsEnabled')]", - "retentionPolicy": { - "days": 0, - "enabled": true + "enabled": false, + "days": 0 } - }, - { - "category": "Quota", - "enabled": "[parameters('metricsEnabled')]", - "retentionPolicy": { - "days": 0, - "enabled": false - }, - "timeGrain": null - }, - { - "category": "Resource", - "enabled": "[parameters('metricsEnabled')]", - "retentionPolicy": { - "days": 0, - "enabled": false - }, - "timeGrain": null } ], "logs": [ @@ -189,6 +162,90 @@ { "category": "AmlRunStatusChangedEvent", "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsActionEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ComputeInstanceEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentReadEvent", + "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdappgroup.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdappgroup.json index ea275ecf8..bd8512f49 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdappgroup.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdappgroup.json @@ -6,10 +6,10 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Monitoring" }, "parameters": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdhostpools.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdhostpools.json index 72956ce51..c9f61de71 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdhostpools.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdhostpools.json @@ -6,10 +6,10 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Monitoring" }, "parameters": { @@ -137,6 +137,14 @@ { "category": "AgentHealthStatus", "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "NetworkData", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SessionHostManagement", + "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdworkspace.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdworkspace.json index becf90fc2..ffea0cba7 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdworkspace.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdworkspace.json @@ -6,10 +6,10 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Monitoring" }, "parameters": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_storage_sslenforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_storage_sslenforcement.json index 7635e450e..d2a443691 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_storage_sslenforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_deploy_storage_sslenforcement.json @@ -7,9 +7,9 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure STorage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Storage" }, "parameters": { @@ -21,7 +21,7 @@ "Disabled" ], "metadata": { - "displayName": "Effect Azure STorage", + "displayName": "Effect Azure Storage", "description": "Enable or disable the execution of the policy minimum TLS version Azure STorage" } }, @@ -34,7 +34,7 @@ "TLS1_0" ], "metadata": { - "displayName": "Select version for PostgreSQL server", + "displayName": "Select TLS version for Azure Storage server", "description": "Select version minimum TLS version Azure STorage to enforce" } } @@ -63,7 +63,7 @@ "then": { "effect": "[parameters('effect')]", "details": { - "type": "Microsoft.DBforPostgreSQL/servers", + "type": "Microsoft.Storage/storageAccounts", "existenceCondition": { "allOf": [ { @@ -73,10 +73,6 @@ { "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", "equals": "[parameters('minimumTlsVersion')]" - }, - { - "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", - "equals": "false" } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt index a73189b1c..8a7b20415 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt @@ -1,712 +1,722 @@ { - name: 'Deny-PublicPaaSEndpoints' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json')) - libSetChildDefinitions: [ - { - definitionReferenceId: 'ACRDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).ACRDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'AFSDenyPaasPublicIP' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AFSDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'AKSDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AKSDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'BatchDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).BatchDenyPublicIP.parameters - } - { - definitionReferenceId: 'CosmosDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).CosmosDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'KeyVaultDenyPaasPublicIP' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).KeyVaultDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'SqlServerDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).SqlServerDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'StorageDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).StorageDenyPaasPublicIP.parameters - } - ] -} + name: 'Deny-PublicPaaSEndpoints' + libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json')) + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).ACRDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AFSDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AKSDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).BatchDenyPublicIP.parameters + } + { + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).CosmosDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).KeyVaultDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).SqlServerDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).StorageDenyPaasPublicIP.parameters + } + ] +} { - name: 'Deploy-ASCDF-Config' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json')) - libSetChildDefinitions: [ - { - definitionReferenceId: 'ascExport' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).ascExport.parameters - } - { - definitionReferenceId: 'defenderForSqlPaas' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).defenderForSqlPaas.parameters - } - { - definitionReferenceId: 'defenderForVM' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).defenderForVM.parameters - } - { - definitionReferenceId: 'securityEmailContact' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).securityEmailContact.parameters - } - ] -} + name: 'Deploy-Diagnostics-LogAnalytics' + libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json')) + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACIDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACRDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AKSDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).BastionDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).BatchDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CosmosDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventHubDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FirewallDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).IotHubDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MySQLDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RelayDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SignalRDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLMDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VMSSDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + } + ] +} { - name: 'Deploy-Diagnostics-LogAnalytics' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json')) - libSetChildDefinitions: [ - { - definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACIDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACRDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AKSDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).BatchDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CosmosDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventHubDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FirewallDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).IotHubDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MySQLDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RelayDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SignalRDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLMDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VMSSDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters - } - ] -} + name: 'Deploy-MDFC-Config' + libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.json')) + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json')).ascExport.parameters + } + { + definitionReferenceId: 'defenderForContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json')).defenderForContainers.parameters + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json')).defenderForSqlPaas.parameters + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json')).defenderForVM.parameters + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json')).securityEmailContact.parameters + } + ] +} { - name: 'Deploy-Private-DNS-Zones' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json')) - libSetChildDefinitions: [ - { - definitionReferenceId: 'Deploy-Private-DNS-Azure-File-Sync' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).Deploy-Private-DNS-Azure-File-Sync.parameters - } - { - definitionReferenceId: 'Deploy-Private-DNS-Azure-KeyVault' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).Deploy-Private-DNS-Azure-KeyVault.parameters - } - { - definitionReferenceId: 'Deploy-Private-DNS-Azure-Web' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).Deploy-Private-DNS-Azure-Web.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-ACR.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-App' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-App.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-AppServices.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-Batch.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-CognitiveSearch.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-CognitiveServices.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-DiskAccess.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventGridDomains.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventGridTopics.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventHubNamespace.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-IoT.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-IoTHubs.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-MachineLearningWorkspace.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-RedisCache.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-ServiceBusNamespace.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-SignalR.parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-Site-Recovery.parameters - } - ] -} + name: 'Deploy-Private-DNS-Zones' + libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json')) + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deploy-Private-DNS-Azure-File-Sync' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).Deploy-Private-DNS-Azure-File-Sync.parameters + } + { + definitionReferenceId: 'Deploy-Private-DNS-Azure-KeyVault' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).Deploy-Private-DNS-Azure-KeyVault.parameters + } + { + definitionReferenceId: 'Deploy-Private-DNS-Azure-Web' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).Deploy-Private-DNS-Azure-Web.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-ACR.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-App.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-AppServices.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-Batch.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-CognitiveSearch.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-CognitiveServices.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-DiskAccess.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventGridDomains.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventGridTopics.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventHubNamespace.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-IoT.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-IoTHubs.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-MachineLearningWorkspace.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-RedisCache.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-ServiceBusNamespace.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-SignalR.parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-Site-Recovery.parameters + } + ] +} { - name: 'Deploy-Sql-Security' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json')) - libSetChildDefinitions: [ - { - definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbAuditingSettingsDeploySqlSecurity.parameters - } - { - definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters - } - { - definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbTdeDeploySqlSecurity.parameters - } - { - definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters - } - ] -} + name: 'Deploy-Sql-Security' + libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json')) + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbAuditingSettingsDeploySqlSecurity.parameters + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbTdeDeploySqlSecurity.parameters + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + } + ] +} { - name: 'Enforce-Encryption-CMK' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json')) - libSetChildDefinitions: [ - { - definitionReferenceId: 'ACRCmkDeny' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).ACRCmkDeny.parameters - } - { - definitionReferenceId: 'AksCmkDeny' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AksCmkDeny.parameters - } - { - definitionReferenceId: 'AzureBatchCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AzureBatchCMKEffect.parameters - } - { - definitionReferenceId: 'CognitiveServicesCMK' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CognitiveServicesCMK.parameters - } - { - definitionReferenceId: 'CosmosCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CosmosCMKEffect.parameters - } - { - definitionReferenceId: 'DataBoxCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).DataBoxCMKEffect.parameters - } - { - definitionReferenceId: 'EncryptedVMDisksEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).EncryptedVMDisksEffect.parameters - } - { - definitionReferenceId: 'MySQLCMKEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).MySQLCMKEffect.parameters - } - { - definitionReferenceId: 'PostgreSQLCMKEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).PostgreSQLCMKEffect.parameters - } - { - definitionReferenceId: 'SqlServerTDECMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SqlServerTDECMKEffect.parameters - } - { - definitionReferenceId: 'StorageCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StorageCMKEffect.parameters - } - { - definitionReferenceId: 'StreamAnalyticsCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StreamAnalyticsCMKEffect.parameters - } - { - definitionReferenceId: 'SynapseWorkspaceCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SynapseWorkspaceCMKEffect.parameters - } - { - definitionReferenceId: 'WorkspaceCMK' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).WorkspaceCMK.parameters - } - ] -} + name: 'Enforce-Encryption-CMK' + libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json')) + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).ACRCmkDeny.parameters + } + { + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AksCmkDeny.parameters + } + { + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AzureBatchCMKEffect.parameters + } + { + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CognitiveServicesCMK.parameters + } + { + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CosmosCMKEffect.parameters + } + { + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).DataBoxCMKEffect.parameters + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).EncryptedVMDisksEffect.parameters + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).MySQLCMKEffect.parameters + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).PostgreSQLCMKEffect.parameters + } + { + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SqlServerTDECMKEffect.parameters + } + { + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StorageCMKEffect.parameters + } + { + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StreamAnalyticsCMKEffect.parameters + } + { + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SynapseWorkspaceCMKEffect.parameters + } + { + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).WorkspaceCMK.parameters + } + ] +} { - name: 'Enforce-EncryptTransit' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json')) - libSetChildDefinitions: [ - { - definitionReferenceId: 'AKSIngressHttpsOnlyEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AKSIngressHttpsOnlyEffect.parameters - } - { - definitionReferenceId: 'APIAppServiceHttpsEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceHttpsEffect.parameters - } - { - definitionReferenceId: 'APIAppServiceLatestTlsEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceLatestTlsEffect.parameters - } - { - definitionReferenceId: 'AppServiceHttpEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceHttpEffect.parameters - } - { - definitionReferenceId: 'AppServiceminTlsVersion' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceminTlsVersion.parameters - } - { - definitionReferenceId: 'FunctionLatestTlsEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionLatestTlsEffect.parameters - } - { - definitionReferenceId: 'FunctionServiceHttpsEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionServiceHttpsEffect.parameters - } - { - definitionReferenceId: 'MySQLEnableSSLDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLDeployEffect.parameters - } - { - definitionReferenceId: 'MySQLEnableSSLEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLEffect.parameters - } - { - definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLDeployEffect.parameters - } - { - definitionReferenceId: 'PostgreSQLEnableSSLEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLEffect.parameters - } - { - definitionReferenceId: 'RedisDenyhttps' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisDenyhttps.parameters - } - { - definitionReferenceId: 'RedisdisableNonSslPort' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisdisableNonSslPort.parameters - } - { - definitionReferenceId: 'RedisTLSDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisTLSDeployEffect.parameters - } - { - definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSDeployEffect.parameters - } - { - definitionReferenceId: 'SQLManagedInstanceTLSEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSEffect.parameters - } - { - definitionReferenceId: 'SQLServerTLSDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSDeployEffect.parameters - } - { - definitionReferenceId: 'SQLServerTLSEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSEffect.parameters - } - { - definitionReferenceId: 'StorageDeployHttpsEnabledEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageDeployHttpsEnabledEffect.parameters - } - { - definitionReferenceId: 'StorageHttpsEnabledEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageHttpsEnabledEffect.parameters - } - { - definitionReferenceId: 'WebAppServiceHttpsEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceHttpsEffect.parameters - } - { - definitionReferenceId: 'WebAppServiceLatestTlsEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceLatestTlsEffect.parameters - } - ] -} + name: 'Enforce-EncryptTransit' + libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json')) + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AKSIngressHttpsOnlyEffect.parameters + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceHttpsEffect.parameters + } + { + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceLatestTlsEffect.parameters + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceHttpEffect.parameters + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceminTlsVersion.parameters + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionLatestTlsEffect.parameters + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionServiceHttpsEffect.parameters + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLDeployEffect.parameters + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLEffect.parameters + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLDeployEffect.parameters + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLEffect.parameters + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisDenyhttps.parameters + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisdisableNonSslPort.parameters + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisTLSDeployEffect.parameters + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSDeployEffect.parameters + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSEffect.parameters + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSDeployEffect.parameters + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSEffect.parameters + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageDeployHttpsEnabledEffect.parameters + } + { + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageHttpsEnabledEffect.parameters + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceHttpsEffect.parameters + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceLatestTlsEffect.parameters + } + ] +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json index 48e1ddadd..50edc9189 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json @@ -8,7 +8,7 @@ "displayName": "Deploy Diagnostic Settings to Azure Services", "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Monitoring" }, "parameters": { @@ -124,6 +124,18 @@ "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, + "BastionLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, "BatchLogAnalyticsEffect": { "type": "String", "defaultValue": "DeployIfNotExists", @@ -720,8 +732,8 @@ "Disabled" ], "metadata": { - "displayName": "Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + "displayName": "Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, "WVDWorkspaceLogAnalyticsEffect": { @@ -732,8 +744,8 @@ "Disabled" ], "metadata": { - "displayName": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, "WVDHostPoolsLogAnalyticsEffect": { @@ -744,8 +756,8 @@ "Disabled" ], "metadata": { - "displayName": "Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + "displayName": "Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, "StorageAccountsLogAnalyticsEffect": { @@ -808,7 +820,7 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionReferenceId": "AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics", "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", "parameters": { "logAnalytics": { @@ -951,6 +963,22 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "BastionDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "BatchDeployDiagnosticLogDeployLogAnalytics", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json index ba22c72b9..30a6f3b4f 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json @@ -129,6 +129,32 @@ } } }, + "AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "BastionDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, "BatchDeployDiagnosticLogDeployLogAnalytics": { "parameters": { "logAnalytics": { @@ -776,19 +802,6 @@ } } }, - "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics": { - "parameters": { - "logAnalytics": { - "value": "[[parameters('logAnalytics')]" - }, - "effect": { - "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" - }, - "profileName": { - "value": "[[parameters('profileName')]" - } - } - }, "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics": { "parameters": { "logAnalytics": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.json similarity index 86% rename from infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json rename to infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.json index 92d65a169..fbc6b79b8 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.json @@ -1,5 +1,5 @@ { - "name": "Deploy-ASCDF-Config", + "name": "Deploy-MDFC-Config", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "2.0.0", + "version": "3.0.0", "category": "Security Center" }, "parameters": { @@ -54,6 +54,13 @@ "displayName": "Effect", "description": "Enable or disable the execution of the policy" } + }, + "enableAscForContainers": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } } }, "policyDefinitions": [ @@ -77,6 +84,16 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "defenderForContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "securityEmailContact", "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json similarity index 84% rename from infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json rename to infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json index f4a462470..498ed3714 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json @@ -12,6 +12,13 @@ } } }, + "defenderForContainers": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + } + }, "defenderForSqlPaas": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep index 91d8f4ef8..a1b877335 100644 --- a/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep @@ -8,7 +8,7 @@ param parTelemetryOptOut bool = false var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) -// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_definitions\_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\china\policy_definitions\_mc_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. var varCustomPolicyDefinitionsArray = [ { name: 'Append-AppService-httpsonly' @@ -106,6 +106,10 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deny-VNET-Peer-Cross-Sub' libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peer_cross_sub.json')) } + { + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering_to_non_approved_vnets.json')) + } { name: 'Deny-VNet-Peering' libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering.json')) @@ -154,6 +158,10 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deploy-Diagnostics-ApplicationGateway' libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_applicationgateway.json')) } + { + name: 'Deploy-Diagnostics-Bastion' + libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_bastion.json')) + } { name: 'Deploy-Diagnostics-CDNEndpoints' libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cdnendpoints.json')) @@ -400,719 +408,729 @@ var varCustomPolicyDefinitionsArray = [ } ] -// This variable contains a number of objects that load in the custom Azure Policy Set/Initiative Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_set_definitions\_policySetDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +// This variable contains a number of objects that load in the custom Azure Policy Set/Initiative Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\china\policy_set_definitions\_mc_policySetDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. var varCustomPolicySetDefinitionsArray = [ { name: 'Deny-PublicPaaSEndpoints' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json')) libSetChildDefinitions: [ - { - definitionReferenceId: 'ACRDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).ACRDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'AFSDenyPaasPublicIP' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AFSDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'AKSDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AKSDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'BatchDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).BatchDenyPublicIP.parameters - } - { - definitionReferenceId: 'CosmosDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).CosmosDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'KeyVaultDenyPaasPublicIP' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).KeyVaultDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'SqlServerDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).SqlServerDenyPaasPublicIP.parameters - } - { - definitionReferenceId: 'StorageDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).StorageDenyPaasPublicIP.parameters - } - ] - } - { - name: 'Deploy-ASCDF-Config' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json')) - libSetChildDefinitions: [ - { - definitionReferenceId: 'ascExport' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).ascExport.parameters - } - { - definitionReferenceId: 'defenderForSqlPaas' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).defenderForSqlPaas.parameters - } - { - definitionReferenceId: 'defenderForVM' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).defenderForVM.parameters - } - { - definitionReferenceId: 'securityEmailContact' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).securityEmailContact.parameters - } - ] + { + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).ACRDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AFSDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AKSDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).BatchDenyPublicIP.parameters + } + { + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).CosmosDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).KeyVaultDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).SqlServerDenyPaasPublicIP.parameters + } + { + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).StorageDenyPaasPublicIP.parameters + } + ] } { name: 'Deploy-Diagnostics-LogAnalytics' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json')) libSetChildDefinitions: [ - { - definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACIDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACRDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AKSDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).BatchDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CosmosDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventHubDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FirewallDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).IotHubDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MySQLDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RelayDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SignalRDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLMDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VMSSDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters - } - { - definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters - } - ] + { + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACIDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACRDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AKSDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).BastionDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).BatchDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CosmosDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventHubDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FirewallDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).IotHubDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MySQLDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RelayDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SignalRDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLMDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VMSSDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + } + ] + } + { + name: 'Deploy-MDFC-Config' + libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.json')) + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json')).ascExport.parameters + } + { + definitionReferenceId: 'defenderForContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json')).defenderForContainers.parameters + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json')).defenderForSqlPaas.parameters + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json')).defenderForVM.parameters + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.parameters.json')).securityEmailContact.parameters + } + ] } { name: 'Deploy-Private-DNS-Zones' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json')) libSetChildDefinitions: [ - { - definitionReferenceId: 'Deploy-Private-DNS-Azure-File-Sync' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['Deploy-Private-DNS-Azure-File-Sync'].parameters - } - { - definitionReferenceId: 'Deploy-Private-DNS-Azure-KeyVault' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['Deploy-Private-DNS-Azure-KeyVault'].parameters - } - { - definitionReferenceId: 'Deploy-Private-DNS-Azure-Web' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['Deploy-Private-DNS-Azure-Web'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-ACR'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-App' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-App'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-AppServices'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-Batch'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-CognitiveSearch'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-CognitiveServices'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-DiskAccess'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventGridDomains'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventGridTopics'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventHubNamespace'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-IoT'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-IoTHubs'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-RedisCache'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-SignalR'].parameters - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-Site-Recovery'].parameters - } - ] + { + definitionReferenceId: 'Deploy-Private-DNS-Azure-File-Sync' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['Deploy-Private-DNS-Azure-File-Sync'].parameters + } + { + definitionReferenceId: 'Deploy-Private-DNS-Azure-KeyVault' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['Deploy-Private-DNS-Azure-KeyVault'].parameters + } + { + definitionReferenceId: 'Deploy-Private-DNS-Azure-Web' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['Deploy-Private-DNS-Azure-Web'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-ACR'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-App'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-AppServices'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-Batch'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-CognitiveSearch'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-CognitiveServices'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-DiskAccess'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventGridDomains'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventGridTopics'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventHubNamespace'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-IoT'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-IoTHubs'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-RedisCache'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-SignalR'].parameters + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-Site-Recovery'].parameters + } + ] } { name: 'Deploy-Sql-Security' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json')) libSetChildDefinitions: [ - { - definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbAuditingSettingsDeploySqlSecurity.parameters - } - { - definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters - } - { - definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbTdeDeploySqlSecurity.parameters - } - { - definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters - } - ] + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbAuditingSettingsDeploySqlSecurity.parameters + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbTdeDeploySqlSecurity.parameters + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + } + ] } { name: 'Enforce-Encryption-CMK' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json')) libSetChildDefinitions: [ - { - definitionReferenceId: 'ACRCmkDeny' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).ACRCmkDeny.parameters - } - { - definitionReferenceId: 'AksCmkDeny' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AksCmkDeny.parameters - } - { - definitionReferenceId: 'AzureBatchCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AzureBatchCMKEffect.parameters - } - { - definitionReferenceId: 'CognitiveServicesCMK' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CognitiveServicesCMK.parameters - } - { - definitionReferenceId: 'CosmosCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CosmosCMKEffect.parameters - } - { - definitionReferenceId: 'DataBoxCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).DataBoxCMKEffect.parameters - } - { - definitionReferenceId: 'EncryptedVMDisksEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).EncryptedVMDisksEffect.parameters - } - { - definitionReferenceId: 'MySQLCMKEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).MySQLCMKEffect.parameters - } - { - definitionReferenceId: 'PostgreSQLCMKEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).PostgreSQLCMKEffect.parameters - } - { - definitionReferenceId: 'SqlServerTDECMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SqlServerTDECMKEffect.parameters - } - { - definitionReferenceId: 'StorageCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StorageCMKEffect.parameters - } - { - definitionReferenceId: 'StreamAnalyticsCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StreamAnalyticsCMKEffect.parameters - } - { - definitionReferenceId: 'SynapseWorkspaceCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SynapseWorkspaceCMKEffect.parameters - } - { - definitionReferenceId: 'WorkspaceCMK' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).WorkspaceCMK.parameters - } - ] + { + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).ACRCmkDeny.parameters + } + { + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AksCmkDeny.parameters + } + { + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AzureBatchCMKEffect.parameters + } + { + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CognitiveServicesCMK.parameters + } + { + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CosmosCMKEffect.parameters + } + { + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).DataBoxCMKEffect.parameters + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).EncryptedVMDisksEffect.parameters + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).MySQLCMKEffect.parameters + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).PostgreSQLCMKEffect.parameters + } + { + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SqlServerTDECMKEffect.parameters + } + { + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StorageCMKEffect.parameters + } + { + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StreamAnalyticsCMKEffect.parameters + } + { + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SynapseWorkspaceCMKEffect.parameters + } + { + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).WorkspaceCMK.parameters + } + ] } { name: 'Enforce-EncryptTransit' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json')) libSetChildDefinitions: [ - { - definitionReferenceId: 'AKSIngressHttpsOnlyEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AKSIngressHttpsOnlyEffect.parameters - } - { - definitionReferenceId: 'APIAppServiceHttpsEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceHttpsEffect.parameters - } - { - definitionReferenceId: 'APIAppServiceLatestTlsEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceLatestTlsEffect.parameters - } - { - definitionReferenceId: 'AppServiceHttpEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceHttpEffect.parameters - } - { - definitionReferenceId: 'AppServiceminTlsVersion' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceminTlsVersion.parameters - } - { - definitionReferenceId: 'FunctionLatestTlsEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionLatestTlsEffect.parameters - } - { - definitionReferenceId: 'FunctionServiceHttpsEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionServiceHttpsEffect.parameters - } - { - definitionReferenceId: 'MySQLEnableSSLDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLDeployEffect.parameters - } - { - definitionReferenceId: 'MySQLEnableSSLEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLEffect.parameters - } - { - definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLDeployEffect.parameters - } - { - definitionReferenceId: 'PostgreSQLEnableSSLEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLEffect.parameters - } - { - definitionReferenceId: 'RedisDenyhttps' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisDenyhttps.parameters - } - { - definitionReferenceId: 'RedisdisableNonSslPort' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisdisableNonSslPort.parameters - } - { - definitionReferenceId: 'RedisTLSDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisTLSDeployEffect.parameters - } - { - definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSDeployEffect.parameters - } - { - definitionReferenceId: 'SQLManagedInstanceTLSEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSEffect.parameters - } - { - definitionReferenceId: 'SQLServerTLSDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSDeployEffect.parameters - } - { - definitionReferenceId: 'SQLServerTLSEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSEffect.parameters - } - { - definitionReferenceId: 'StorageDeployHttpsEnabledEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageDeployHttpsEnabledEffect.parameters - } - { - definitionReferenceId: 'StorageHttpsEnabledEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageHttpsEnabledEffect.parameters - } - { - definitionReferenceId: 'WebAppServiceHttpsEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceHttpsEffect.parameters - } - { - definitionReferenceId: 'WebAppServiceLatestTlsEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' - definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceLatestTlsEffect.parameters - } - ] + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AKSIngressHttpsOnlyEffect.parameters + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceHttpsEffect.parameters + } + { + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceLatestTlsEffect.parameters + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceHttpEffect.parameters + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceminTlsVersion.parameters + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionLatestTlsEffect.parameters + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionServiceHttpsEffect.parameters + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLDeployEffect.parameters + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLEffect.parameters + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLDeployEffect.parameters + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLEffect.parameters + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisDenyhttps.parameters + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisdisableNonSslPort.parameters + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisTLSDeployEffect.parameters + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSDeployEffect.parameters + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSEffect.parameters + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSDeployEffect.parameters + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSEffect.parameters + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageDeployHttpsEnabledEffect.parameters + } + { + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageHttpsEnabledEffect.parameters + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceHttpsEffect.parameters + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceLatestTlsEffect.parameters + } + ] } ] diff --git a/tests/pipelines/mc-base-unit-validate.yml b/tests/pipelines/mc-base-unit-validate.yml index c32b4d7eb..6a83a0e42 100644 --- a/tests/pipelines/mc-base-unit-validate.yml +++ b/tests/pipelines/mc-base-unit-validate.yml @@ -52,7 +52,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix) + az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix) - task: Bash@3 displayName: Az CLI Validate Custom Policy Definitions for PR @@ -60,7 +60,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix) + az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix) - task: Bash@3 displayName: Az CLI Validate Logging for PR @@ -84,7 +84,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix) + az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix) - task: Bash@3 displayName: Az CLI Validate Hub Networking for PR