Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assign additional built-in Sovereign landing zone policy initiatives #718

Merged
merged 23 commits into from
Feb 5, 2024
Merged

Assign additional built-in Sovereign landing zone policy initiatives #718

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
36ad456
Added sovereign policy assignments
oZakari Jan 29, 2024
5b8b708
Sovereign policies txt files
oZakari Jan 29, 2024
6ce9a96
Shorten policy assignment names
oZakari Jan 29, 2024
8acc586
Module Updates for sovereign policy assignments
oZakari Jan 29, 2024
06d0d95
Merge branch 'main' of https://github.com/Azure/ALZ-Bicep into ado-32559
oZakari Jan 29, 2024
381980a
Fix policyset id for sovereign global policy
oZakari Jan 29, 2024
42ad4a0
Update policy file names for sovereign baselines
oZakari Jan 29, 2024
634ed0b
Fix incorrect variable reference
oZakari Jan 29, 2024
a6b3b58
Adjust sovereign baseline modules
oZakari Jan 29, 2024
c6b1444
Fix policy definition id
oZakari Jan 30, 2024
003518d
Expose additional params with UDTs
oZakari Feb 1, 2024
bd3e2ec
Generate Parameter Markdowns [oZakari/1e180555]
github-actions[bot] Feb 1, 2024
d864b57
Added logic for default allowed location for sovereign policies
oZakari Feb 1, 2024
ffa844a
Generate Parameter Markdowns [oZakari/1e180555]
github-actions[bot] Feb 1, 2024
5ac74bb
Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alz…
oZakari Feb 2, 2024
014d6c4
Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alz…
oZakari Feb 2, 2024
c89ed37
Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alz…
oZakari Feb 2, 2024
4d802f1
Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alz…
oZakari Feb 2, 2024
52f5460
Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alz…
oZakari Feb 2, 2024
7141ea0
Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alz…
oZakari Feb 2, 2024
698bea4
Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alz…
oZakari Feb 2, 2024
43294ec
Remove unnecessary paranthesis
oZakari Feb 2, 2024
6150bff
Merge branch 'ado-32559' of https://github.com/oZakari/ALZ-Bicep into…
oZakari Feb 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
135 changes: 135 additions & 0 deletions infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,25 @@
metadata name = 'ALZ Bicep - ALZ Default Policy Assignments'
metadata description = 'This module will assign the ALZ Default Policy Assignments to the ALZ Management Group hierarchy'

type policyAssignmentSovereigntyGlobalOptionsType = ({
@sys.description('Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group.')
parTopLevelSovereigntyGlobalPoliciesEnable: bool

@sys.description('The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed.')
parListOfAllowedLocations: string[]
})
oZakari marked this conversation as resolved.
Show resolved Hide resolved

type policyAssignmentSovereigntyConfidentialOptionsType = ({
@sys.description('The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types.')
parAllowedResourceTypes: string[]

@sys.description('The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed.')
parListOfAllowedLocations: string[]

@sys.description('The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs.')
parAllowedVirtualMachineSKUs: string[]
})
oZakari marked this conversation as resolved.
Show resolved Hide resolved

@sys.description('Prefix used for the management group hierarchy.')
@minLength(2)
@maxLength(10)
Expand All @@ -10,6 +29,30 @@ param parTopLevelManagementGroupPrefix string = 'alz'
@maxLength(10)
param parTopLevelManagementGroupSuffix string = ''

@sys.description('''Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.'

- `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group.
- `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed.

''')
param parTopLevelPolicyAssignmentSovereigntyGlobal policyAssignmentSovereigntyGlobalOptionsType = {
parTopLevelSovereigntyGlobalPoliciesEnable: false
parListOfAllowedLocations: []
}

@sys.description('''Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.'

- `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types.
- `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed.
- `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs.

''')
param parPolicyAssignmentSovereigntyConfidential policyAssignmentSovereigntyConfidentialOptionsType = {
parAllowedResourceTypes: []
parListOfAllowedLocations: []
parAllowedVirtualMachineSKUs: []
}

@sys.description('Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.')
param parPlatformMgAlzDefaultsEnable bool = true

Expand Down Expand Up @@ -80,6 +123,7 @@ var varDeploymentNameWrappers = {
}

var varModuleDeploymentNames = {
modPolicyAssignmentIntRootEnforceSovereigntyGlobal: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSovereigntyGlobal-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentIntRootDeployMdfcConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDFCConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentIntRootDeployAscMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
Expand Down Expand Up @@ -117,9 +161,11 @@ var varModuleDeploymentNames = {
modPolicyAssignmentLzsDeploySqlTde: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLTde-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsAuditAppGwWaf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditAppGwWaf-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSovereigntyConf-confidential-online-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsCorpDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsConfidentialCorpDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsCorpDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSovereigntyConf-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsConfidentialCorpDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsCorpDenyPipOnNic: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPipOnNic-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsConfidentialCorpDenyPipOnNic: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPipOnNic-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
Expand Down Expand Up @@ -198,6 +244,16 @@ var varPolicyAssignmentDenyPublicIP = {
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')
}

var varPolicyAssignmentEnforceSovereigntyConf = {
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea'
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json')
}

var varPolicyAssignmentEnforceSovereigntyGlobal = {
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523'
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json')
}

var varPolicyAssignmentDenyStoragehttp = {
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9'
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')
Expand Down Expand Up @@ -441,6 +497,27 @@ module modCustomerUsageAttributionZtnP1 '../../../../CRML/customerUsageAttributi
}

// Modules - Policy Assignments - Intermediate Root Management Group
// Module - Policy Assignment - Enforce-Sovereign-Global
module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.name) && parTopLevelPolicyAssignmentSovereigntyGlobal.parTopLevelSovereigntyGlobalPoliciesEnable) {
scope: managementGroup(varManagementGroupIds.intRoot)
name: varModuleDeploymentNames.modPolicyAssignmentIntRootEnforceSovereigntyGlobal
params: {
parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSovereigntyGlobal.definitionId
parPolicyAssignmentName: varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.name
parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.properties.displayName
parPolicyAssignmentDescription: varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.properties.description
parPolicyAssignmentParameters: varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.properties.parameters
parPolicyAssignmentParameterOverrides: {
listOfAllowedLocations: {
#disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information
oZakari marked this conversation as resolved.
Show resolved Hide resolved
value: empty(parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations) ? array(deployment().location) : parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations
oZakari marked this conversation as resolved.
Show resolved Hide resolved
}
}
parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.identity.type
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.properties.enforcementMode
parTelemetryOptOut: parTelemetryOptOut
}
}
oZakari marked this conversation as resolved.
Show resolved Hide resolved
// Module - Policy Assignment - Deploy-MDFC-Config
module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCConfig.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.intRoot)
Expand Down Expand Up @@ -1416,6 +1493,64 @@ module modPolicyAssignmentLzsCorpAuditPeDnsZones '../../../policy/assignments/po
}
}]

// Modules - Policy Assignments - Confidential Online Management Group
// Module - Policy Assignment - Enforce-Sovereign-Conf
module modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSovereigntyConf.libDefinition.name) && parLandingZoneMgConfidentialEnable) {
scope: managementGroup(varManagementGroupIds.landingZonesConfidentialOnline)
name: varModuleDeploymentNames.modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf
params: {
parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSovereigntyConf.definitionId
parPolicyAssignmentName: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.name
parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.displayName
parPolicyAssignmentDescription: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.description
parPolicyAssignmentParameters: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters
parPolicyAssignmentParameterOverrides: {
allowedResourceTypes: {
value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedResourceTypes)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedResourceTypes : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters.allowedResourceTypes.value
}
listOfAllowedLocations: {
#disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information
oZakari marked this conversation as resolved.
Show resolved Hide resolved
value: empty(parPolicyAssignmentSovereigntyConfidential.parListOfAllowedLocations) ? array(deployment().location) : parPolicyAssignmentSovereigntyConfidential.parListOfAllowedLocations
oZakari marked this conversation as resolved.
Show resolved Hide resolved
}
allowedVirtualMachineSKUs: {
value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value
}
}
parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.identity.type
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.enforcementMode
parTelemetryOptOut: parTelemetryOptOut
}
}

// Modules - Policy Assignments - Confidential Corp Management Group
// Module - Policy Assignment - Enforce-Sovereign-Conf
module modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSovereigntyConf.libDefinition.name) && parLandingZoneMgConfidentialEnable) {
scope: managementGroup(varManagementGroupIds.landingZonesConfidentialCorp)
name: varModuleDeploymentNames.modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf
params: {
parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSovereigntyConf.definitionId
parPolicyAssignmentName: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.name
parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.displayName
parPolicyAssignmentDescription: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.description
parPolicyAssignmentParameters: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters
parPolicyAssignmentParameterOverrides: {
allowedResourceTypes: {
value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedResourceTypes)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedResourceTypes : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters.allowedResourceTypes.value
}
listOfAllowedLocations: {
#disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information
oZakari marked this conversation as resolved.
Show resolved Hide resolved
value: empty(parPolicyAssignmentSovereigntyConfidential.parListOfAllowedLocations) ? array(deployment().location) : parPolicyAssignmentSovereigntyConfidential.parListOfAllowedLocations
oZakari marked this conversation as resolved.
Show resolved Hide resolved
}
allowedVirtualMachineSKUs: {
value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value
}
}
parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.identity.type
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.enforcementMode
parTelemetryOptOut: parTelemetryOptOut
}
}

// Modules - Policy Assignments - Decommissioned Management Group
// Module - Policy Assignment - Enforce-ALZ-Decomm
module modPolicyAssignmentDecommEnforceAlz '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceALZDecomm.libDefinition.name)) {
Expand Down
Loading