diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 4a013eb3b..3b2929be5 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -7,6 +7,9 @@ type policyAssignmentSovereigntyGlobalOptionsType = { @sys.description('The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed.') parListOfAllowedLocations: string[] + + @sys.description('The effect type for the Sovereignty Baseline - Global Policies Assignment.') + parPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') } type policyAssignmentSovereigntyConfidentialOptionsType = { @@ -18,6 +21,9 @@ type policyAssignmentSovereigntyConfidentialOptionsType = { @sys.description('The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs.') parAllowedVirtualMachineSKUs: string[] + + @sys.description('The effect type for the Sovereignty Baseline - Confidential Policies Assignment.') + parPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') } @sys.description('Prefix used for the management group hierarchy.') @@ -31,13 +37,15 @@ param parTopLevelManagementGroupSuffix string = '' @sys.description('''Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' -- `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. +- `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. +- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. ''') param parTopLevelPolicyAssignmentSovereigntyGlobal policyAssignmentSovereigntyGlobalOptionsType = { parTopLevelSovereigntyGlobalPoliciesEnable: false parListOfAllowedLocations: [] + parPolicyEffect: 'Deny' } @sys.description('''Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' @@ -45,12 +53,14 @@ param parTopLevelPolicyAssignmentSovereigntyGlobal policyAssignmentSovereigntyGl - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. +- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. ''') param parPolicyAssignmentSovereigntyConfidential policyAssignmentSovereigntyConfidentialOptionsType = { parAllowedResourceTypes: [] parListOfAllowedLocations: [] parAllowedVirtualMachineSKUs: [] + parPolicyEffect: 'Deny' } @sys.description('Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.') @@ -89,6 +99,9 @@ param parPrivateDnsZonesNamesToAuditInCorp array = [] @sys.description('Set Enforcement Mode of all default Policies assignments to Do Not Enforce.') param parDisableAlzDefaultPolicies bool = false +@sys.description('Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce.') +param parDisableSlzDefaultPolicies bool = false + @sys.description('Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter.') param parVmBackupExclusionTagName string = '' @@ -524,9 +537,12 @@ module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assig #disable-next-line no-loc-expr-outside-params value: !(empty(parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations)) ? parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations : array(deployment().location) } + effect: { + value: parTopLevelPolicyAssignmentSovereigntyGlobal.parPolicyEffect + } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignGlobal.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } @@ -1560,9 +1576,12 @@ module modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf '../../../ allowedVirtualMachineSKUs: { value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } + effect: { + value: parPolicyAssignmentSovereigntyConfidential.parPolicyEffect + } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } @@ -1589,9 +1608,12 @@ module modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf '../../../po allowedVirtualMachineSKUs: { value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } + effect: { + value: parPolicyAssignmentSovereigntyConfidential.parPolicyEffect + } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index d15411fdc..b0981255b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -8,8 +8,8 @@ Parameter name | Required | Description -------------- | -------- | ----------- parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix -parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. +parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups @@ -22,6 +22,7 @@ parDdosProtectionPlanId | No | ID of the DdosProtectionPlan which will be parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group. parPrivateDnsZonesNamesToAuditInCorp | No | Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules. parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. +parDisableSlzDefaultPolicies | No | Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce. parVmBackupExclusionTagName | No | Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments @@ -47,12 +48,13 @@ Optional suffix for the management group hierarchy. This suffix will be appended Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' -- `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. +- `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. +- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -- Default value: `@{parTopLevelSovereigntyGlobalPoliciesEnable=False; parListOfAllowedLocations=System.Object[]}` +- Default value: `@{parTopLevelSovereigntyGlobalPoliciesEnable=False; parListOfAllowedLocations=System.Object[]; parPolicyEffect=Deny}` ### parPolicyAssignmentSovereigntyConfidential @@ -63,10 +65,11 @@ Object used to assign Sovereignty Baseline - Confidential Policies to the confid - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. +- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. -- Default value: `@{parAllowedResourceTypes=System.Object[]; parListOfAllowedLocations=System.Object[]; parAllowedVirtualMachineSKUs=System.Object[]}` +- Default value: `@{parAllowedResourceTypes=System.Object[]; parListOfAllowedLocations=System.Object[]; parAllowedVirtualMachineSKUs=System.Object[]; parPolicyEffect=Deny}` ### parPlatformMgAlzDefaultsEnable @@ -156,6 +159,14 @@ Set Enforcement Mode of all default Policies assignments to Do Not Enforce. - Default value: `False` +### parDisableSlzDefaultPolicies + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce. + +- Default value: `False` + ### parVmBackupExclusionTagName ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -203,14 +214,16 @@ Set Parameter to true to Opt-out of deployment telemetry "parTopLevelPolicyAssignmentSovereigntyGlobal": { "value": { "parTopLevelSovereigntyGlobalPoliciesEnable": false, - "parListOfAllowedLocations": [] + "parListOfAllowedLocations": [], + "parPolicyEffect": "Deny" } }, "parPolicyAssignmentSovereigntyConfidential": { "value": { "parAllowedResourceTypes": [], "parListOfAllowedLocations": [], - "parAllowedVirtualMachineSKUs": [] + "parAllowedVirtualMachineSKUs": [], + "parPolicyEffect": "Deny" } }, "parPlatformMgAlzDefaultsEnable": { @@ -249,6 +262,9 @@ Set Parameter to true to Opt-out of deployment telemetry "parDisableAlzDefaultPolicies": { "value": false }, + "parDisableSlzDefaultPolicies": { + "value": false + }, "parVmBackupExclusionTagName": { "value": "" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index 1749f927d..6f500b846 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -11,7 +11,8 @@ "parTopLevelPolicyAssignmentSovereigntyGlobal": { "value": { "parTopLevelSovereigntyGlobalPoliciesEnable": false, - "parListOfAllowedLocations": [] + "parListOfAllowedLocations": [], + "parPolicyEffect": "Deny" } }, "parPlatformMgAlzDefaultsEnable": { @@ -27,7 +28,8 @@ "value": { "parAllowedResourceTypes": [], "parListOfAllowedLocations": [], - "parAllowedVirtualMachineSKUs": [] + "parAllowedVirtualMachineSKUs": [], + "parPolicyEffect": "Deny" } }, "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": {