diff --git a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep index dc026ea4c..f27a2176d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -150,6 +150,10 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deny-VNET-Peer-Cross-Sub' libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json')) } + { + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peering_to_non_approved_vnets.json')) + } { name: 'Deny-VNet-Peering' libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peering.json')) @@ -198,6 +202,14 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deploy-Diagnostics-ApplicationGateway' libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_applicationgateway.json')) } + { + name: 'Deploy-Diagnostics-AVDScalingPlans' + libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json')) + } + { + name: 'Deploy-Diagnostics-Bastion' + libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json')) + } { name: 'Deploy-Diagnostics-CDNEndpoints' libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_cdnendpoints.json')) @@ -536,6 +548,16 @@ var varCustomPolicySetDefinitionsArray = [ definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters } + { + definitionReferenceId: 'AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans' + definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).BastionDeployDiagnosticLogDeployLogAnalytics.parameters + } { definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt index f32e276fc..f5e7e1653 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt @@ -190,6 +190,14 @@ name: 'Deploy-Diagnostics-ApplicationGateway' libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_applicationgateway.json')) } +{ + name: 'Deploy-Diagnostics-AVDScalingPlans' + libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json')) +} +{ + name: 'Deploy-Diagnostics-Bastion' + libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json')) +} { name: 'Deploy-Diagnostics-CDNEndpoints' libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_cdnendpoints.json')) diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deny_machinelearning_computecluster_remoteloginportpublicaccess.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deny_machinelearning_computecluster_remoteloginportpublicaccess.json index fede0a8dd..0e3a50c7b 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deny_machinelearning_computecluster_remoteloginportpublicaccess.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deny_machinelearning_computecluster_remoteloginportpublicaccess.json @@ -5,11 +5,11 @@ "scope": null, "properties": { "policyType": "Custom", - "mode": "Indexed", + "mode": "All", "displayName": "Deny public access of Azure Machine Learning clusters via SSH", "description": "Deny public access of Azure Machine Learning clusters via SSH.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Machine Learning" }, "parameters": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json index 821c6e98f..178561ff3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json @@ -147,6 +147,10 @@ { "category": "GatewayLogs", "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "WebSocketConnectionLogs", + "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json new file mode 100644 index 000000000..855cd51e5 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json @@ -0,0 +1,150 @@ +{ + "name": "Deploy-Diagnostics-AVDScalingPlans", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/scalingplans" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Autoscale", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json new file mode 100644 index 000000000..fd911f910 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json @@ -0,0 +1,183 @@ +{ + "name": "Deploy-Diagnostics-Bastion", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/bastionHosts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "BastionAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_firewall.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_firewall.json index f9be154a5..f5e67eda7 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_firewall.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_firewall.json @@ -155,6 +155,46 @@ { "category": "AzureFirewallDnsProxy", "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWThreatIntel", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWIdpsSignature", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWDnsQuery", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFqdnResolveFailure", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRuleAggregation", + "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mlworkspace.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mlworkspace.json index 4a484cd00..866dedbf2 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mlworkspace.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mlworkspace.json @@ -9,7 +9,7 @@ "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Monitoring" }, "parameters": { @@ -134,39 +134,12 @@ "workspaceId": "[parameters('logAnalytics')]", "metrics": [ { - "category": "Run", + "category": "AllMetrics", "enabled": "[parameters('metricsEnabled')]", "retentionPolicy": { - "days": 0, - "enabled": false - }, - "timeGrain": null - }, - { - "category": "Model", - "enabled": "[parameters('metricsEnabled')]", - "retentionPolicy": { - "days": 0, - "enabled": true + "enabled": false, + "days": 0 } - }, - { - "category": "Quota", - "enabled": "[parameters('metricsEnabled')]", - "retentionPolicy": { - "days": 0, - "enabled": false - }, - "timeGrain": null - }, - { - "category": "Resource", - "enabled": "[parameters('metricsEnabled')]", - "retentionPolicy": { - "days": 0, - "enabled": false - }, - "timeGrain": null } ], "logs": [ @@ -189,6 +162,90 @@ { "category": "AmlRunStatusChangedEvent", "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsActionEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ComputeInstanceEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentReadEvent", + "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdappgroup.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdappgroup.json index ea275ecf8..bd8512f49 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdappgroup.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdappgroup.json @@ -6,10 +6,10 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Monitoring" }, "parameters": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdhostpools.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdhostpools.json index 72956ce51..c9f61de71 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdhostpools.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdhostpools.json @@ -6,10 +6,10 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Monitoring" }, "parameters": { @@ -137,6 +137,14 @@ { "category": "AgentHealthStatus", "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "NetworkData", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SessionHostManagement", + "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdworkspace.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdworkspace.json index becf90fc2..ffea0cba7 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdworkspace.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdworkspace.json @@ -6,10 +6,10 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Monitoring" }, "parameters": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json index 7635e450e..d2a443691 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json @@ -7,9 +7,9 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure STorage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Storage" }, "parameters": { @@ -21,7 +21,7 @@ "Disabled" ], "metadata": { - "displayName": "Effect Azure STorage", + "displayName": "Effect Azure Storage", "description": "Enable or disable the execution of the policy minimum TLS version Azure STorage" } }, @@ -34,7 +34,7 @@ "TLS1_0" ], "metadata": { - "displayName": "Select version for PostgreSQL server", + "displayName": "Select TLS version for Azure Storage server", "description": "Select version minimum TLS version Azure STorage to enforce" } } @@ -63,7 +63,7 @@ "then": { "effect": "[parameters('effect')]", "details": { - "type": "Microsoft.DBforPostgreSQL/servers", + "type": "Microsoft.Storage/storageAccounts", "existenceCondition": { "allOf": [ { @@ -73,10 +73,6 @@ { "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", "equals": "[parameters('minimumTlsVersion')]" - }, - { - "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", - "equals": "false" } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt index 6d2ca8cf3..ba146bc98 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt @@ -108,6 +108,16 @@ definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters } + { + definitionReferenceId: 'AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans' + definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics.parameters + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).BastionDeployDiagnosticLogDeployLogAnalytics.parameters + } { definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json index 48e1ddadd..4beaa31b9 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json @@ -8,7 +8,7 @@ "displayName": "Deploy Diagnostic Settings to Azure Services", "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Monitoring" }, "parameters": { @@ -124,6 +124,18 @@ "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, + "BastionLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, "BatchLogAnalyticsEffect": { "type": "String", "defaultValue": "DeployIfNotExists", @@ -712,6 +724,18 @@ "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, + "AVDScalingPlansLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, "WVDAppGroupsLogAnalyticsEffect": { "type": "String", "defaultValue": "DeployIfNotExists", @@ -720,8 +744,8 @@ "Disabled" ], "metadata": { - "displayName": "Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + "displayName": "Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, "WVDWorkspaceLogAnalyticsEffect": { @@ -732,8 +756,8 @@ "Disabled" ], "metadata": { - "displayName": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, "WVDHostPoolsLogAnalyticsEffect": { @@ -744,8 +768,8 @@ "Disabled" ], "metadata": { - "displayName": "Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + "displayName": "Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, "StorageAccountsLogAnalyticsEffect": { @@ -775,6 +799,22 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AVDScalingPlansLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics", "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", @@ -951,6 +991,22 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "BastionDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "BatchDeployDiagnosticLogDeployLogAnalytics", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json index ba22c72b9..dd25e56b7 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json @@ -129,6 +129,32 @@ } } }, + "AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AVDScalingPlansLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "BastionDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, "BatchDeployDiagnosticLogDeployLogAnalytics": { "parameters": { "logAnalytics": {