From e7693e162d2f77d02e6765699ff637eda0bb39a6 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Wed, 21 Feb 2024 11:49:41 -0800 Subject: [PATCH 01/37] Update alzDefaultPolicyAssignments.bicep MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issue 1 : Currently, all the ALZ modules will be deployed when the policy assignment file is invoked. ALZ modules should be deployed optionally based on the flag. Issue 2 : The SLZ policy assignment modules are using ALZ flag to control the policy enforcement. All the SLZ modules should use the SLZ flag for SLZ policy enforcement or make it ‘Default’. Issue 3 : The SLZ policy assignment modules don’t have policyEffect param, which we previously supported. --- .../alzDefaultPolicyAssignments.bicep | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 4a013eb3b..1287d101b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -101,6 +101,9 @@ param parExcludedPolicyAssignments array = [] @sys.description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false +@description('Effect type for all policy definitions') +param parPolicyEffect string = 'Deny' + var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceId, '/')[8] var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceResourceId, '/')[4] @@ -524,9 +527,12 @@ module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assig #disable-next-line no-loc-expr-outside-params value: !(empty(parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations)) ? parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations : array(deployment().location) } + effect: { + value: parPolicyEffect + } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignGlobal.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parTopLevelPolicyAssignmentSovereigntyGlobal.parTopLevelSovereigntyGlobalPoliciesEnable ? 'Default' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } @@ -1560,9 +1566,12 @@ module modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf '../../../ allowedVirtualMachineSKUs: { value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } + effect: { + value: parPolicyEffect + } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parLandingZoneMgConfidentialEnable ? 'Default' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } @@ -1589,9 +1598,12 @@ module modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf '../../../po allowedVirtualMachineSKUs: { value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } + effect: { + value: parPolicyEffect + } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parLandingZoneMgConfidentialEnable ? 'Default' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } From 0f1725c09f2c214fbffacc15104b262914788f4a Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:10:25 -0800 Subject: [PATCH 02/37] Update alzDefaultPolicyAssignments.bicep.md parPolicyEffect | Deny | Set Parameter for effect type for all policy definitions --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 1 + 1 file changed, 1 insertion(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index d15411fdc..8b1dff502 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -26,6 +26,7 @@ parVmBackupExclusionTagName | No | Name of the tag to use for excluding VM parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry +parPolicyEffect | Deny | Set Parameter for effect type for all policy definitions ### parTopLevelManagementGroupPrefix From 14ec44bb683edf32f92e0a3bc6dfc9f35bc53b09 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:26:19 -0800 Subject: [PATCH 03/37] Update mc-alzDefaultPolicyAssignments.bicep.md parPolicyEffect | Deny | Set Parameter for effect type for all policy definitions --- .../generateddocs/mc-alzDefaultPolicyAssignments.bicep.md | 1 + 1 file changed, 1 insertion(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md index 5e4d46f33..07c916e8f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md @@ -16,6 +16,7 @@ parMsDefenderForCloudEmailSecurityContact | No | An e-mail address that yo parDdosProtectionPlanId | No | ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry +parPolicyEffect | Deny | Set Parameter for effect type for all policy definitions ### parTopLevelManagementGroupPrefix From 2ae19fb630eb714c6072bda208415f425bff2f6c Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:36:37 -0800 Subject: [PATCH 04/37] Update mc-alzDefaultPolicyAssignments.bicep.md Effect type for all policy definitions --- .../generateddocs/mc-alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md index 07c916e8f..ef5afc2dc 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md @@ -16,7 +16,7 @@ parMsDefenderForCloudEmailSecurityContact | No | An e-mail address that yo parDdosProtectionPlanId | No | ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry -parPolicyEffect | Deny | Set Parameter for effect type for all policy definitions +parPolicyEffect | Deny | Effect type for all policy definitions ### parTopLevelManagementGroupPrefix From 93931c6d211d866d60c336ff9211e3a97e03be5c Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:37:12 -0800 Subject: [PATCH 05/37] Update alzDefaultPolicyAssignments.bicep.md Effect type for all policy definitions --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 8b1dff502..1c8a58084 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -26,7 +26,7 @@ parVmBackupExclusionTagName | No | Name of the tag to use for excluding VM parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry -parPolicyEffect | Deny | Set Parameter for effect type for all policy definitions +parPolicyEffect | Deny | Effect type for all policy definitions ### parTopLevelManagementGroupPrefix From 6716922fa7960c15796d2e02ee26a1f519e32c94 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:41:52 -0800 Subject: [PATCH 06/37] Update alzDefaultPolicyAssignments.bicep.md --- .../alzDefaultPolicyAssignments.bicep.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 1c8a58084..b31ddb430 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -183,6 +183,14 @@ Set Parameter to true to Opt-out of deployment telemetry - Default value: `False` +### parPolicyEffect + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Effect type for all policy definitions + +- Default value: `Deny` + ## Snippets ### Parameter file @@ -262,6 +270,9 @@ Set Parameter to true to Opt-out of deployment telemetry "parTelemetryOptOut": { "value": false } + "parPolicyEffect": { + "value": "Deny" + } } } ``` From e4f0e690e8c8105c1c83d5a26fae5cc5d1041013 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:45:54 -0800 Subject: [PATCH 07/37] Update mc-alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/mc-alzDefaultPolicyAssignments.bicep.md | 1 - 1 file changed, 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md index ef5afc2dc..5e4d46f33 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md @@ -16,7 +16,6 @@ parMsDefenderForCloudEmailSecurityContact | No | An e-mail address that yo parDdosProtectionPlanId | No | ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry -parPolicyEffect | Deny | Effect type for all policy definitions ### parTopLevelManagementGroupPrefix From b00cc799206c6f396ba64ef34a9ee1c6fa8af5c4 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:54:05 -0800 Subject: [PATCH 08/37] Update alzDefaultPolicyAssignments.bicep --- .../assignments/alzDefaults/alzDefaultPolicyAssignments.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 1287d101b..925f6c559 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -101,7 +101,7 @@ param parExcludedPolicyAssignments array = [] @sys.description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false -@description('Effect type for all policy definitions') +@sys.description('Effect type for all policy definitions') param parPolicyEffect string = 'Deny' var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceId, '/')[8] From f686c233567fe9ae6bcb179972767f1a5957f707 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:54:39 -0800 Subject: [PATCH 09/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index b31ddb430..44e1bb605 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -26,7 +26,7 @@ parVmBackupExclusionTagName | No | Name of the tag to use for excluding VM parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry -parPolicyEffect | Deny | Effect type for all policy definitions +parPolicyEffect | No | Effect type for all policy definitions ### parTopLevelManagementGroupPrefix From 92052a7b822f2b768ee4efecc5c0fb1ea25e30f3 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Thu, 22 Feb 2024 10:39:46 -0800 Subject: [PATCH 10/37] Update alzDefaultPolicyAssignments.bicep Update the parameter name to parSovereigntyPolicyEffect. --- .../alzDefaults/alzDefaultPolicyAssignments.bicep | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 925f6c559..8477def1b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -101,8 +101,8 @@ param parExcludedPolicyAssignments array = [] @sys.description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false -@sys.description('Effect type for all policy definitions') -param parPolicyEffect string = 'Deny' +@sys.description('Effect type for sovereign policy definitions') +param parSovereigntyPolicyEffect string = 'Deny' var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceId, '/')[8] @@ -528,7 +528,7 @@ module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assig value: !(empty(parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations)) ? parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations : array(deployment().location) } effect: { - value: parPolicyEffect + value: parSovereigntyPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignGlobal.libDefinition.identity.type @@ -1567,7 +1567,7 @@ module modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf '../../../ value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } effect: { - value: parPolicyEffect + value: parSovereigntyPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type @@ -1599,7 +1599,7 @@ module modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf '../../../po value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } effect: { - value: parPolicyEffect + value: parSovereigntyPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type From 8ff47915291e3fb97708f31d7c080dc926f653bb Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Thu, 22 Feb 2024 10:41:04 -0800 Subject: [PATCH 11/37] Update alzDefaultPolicyAssignments.bicep.md parSovereigntyPolicyEffect --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 44e1bb605..17b7cbb1f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -26,7 +26,7 @@ parVmBackupExclusionTagName | No | Name of the tag to use for excluding VM parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry -parPolicyEffect | No | Effect type for all policy definitions +parSovereigntyPolicyEffect | No | Effect type for sovereign policy definitions ### parTopLevelManagementGroupPrefix From 67772e862283ae0d66eab85c803de0ab1100ff5f Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Thu, 22 Feb 2024 10:43:37 -0800 Subject: [PATCH 12/37] Update alzDefaultPolicyAssignments.bicep.md parSovereigntyPolicyEffect --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 17b7cbb1f..4a3535ba1 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -183,11 +183,11 @@ Set Parameter to true to Opt-out of deployment telemetry - Default value: `False` -### parPolicyEffect +### parSovereigntyPolicyEffect ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Effect type for all policy definitions +Effect type for sovereign policy definitions - Default value: `Deny` @@ -270,7 +270,7 @@ Effect type for all policy definitions "parTelemetryOptOut": { "value": false } - "parPolicyEffect": { + "parSovereigntyPolicyEffect": { "value": "Deny" } } From 2f04a25ad9d743d39954eba66756c3e270b146d8 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Thu, 22 Feb 2024 10:56:08 -0800 Subject: [PATCH 13/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 4a3535ba1..6b4b54115 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -269,7 +269,7 @@ Effect type for sovereign policy definitions }, "parTelemetryOptOut": { "value": false - } + }, "parSovereigntyPolicyEffect": { "value": "Deny" } From c70f4f6f3b541a3c16fe7d2e0e76346daa83d91d Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 10:49:43 -0800 Subject: [PATCH 14/37] Update alzDefaultPolicyAssignments.bicep Add sovereignty policy effect for different levels and parDisableSlzDefaultPolicies parameters. --- .../alzDefaultPolicyAssignments.bicep | 37 ++++++++++++++++--- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 8477def1b..c093ba446 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -89,6 +89,9 @@ param parPrivateDnsZonesNamesToAuditInCorp array = [] @sys.description('Set Enforcement Mode of all default Policies assignments to Do Not Enforce.') param parDisableAlzDefaultPolicies bool = false +@sys.description('Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce.') +param parDisableSlzDefaultPolicies bool = false + @sys.description('Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter.') param parVmBackupExclusionTagName string = '' @@ -101,6 +104,30 @@ param parExcludedPolicyAssignments array = [] @sys.description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false +@allowed([ + 'Audit' + 'Deny' + 'Disabled' + 'AuditIfNotExists' +]) +@sys.description('Effect type for sovereign global policy definitions') +param parTopLevelSovereigntyGlobalPolicyEffect string = 'Deny' + +@allowed([ + 'Audit' + 'Deny' + 'Disabled' + 'AuditIfNotExists' +]) +@sys.description('Effect type for sovereign confidential policy definitions') +param parSovereigntyConfidentialPolicyEffect string = 'Deny' + +@allowed([ + 'Audit' + 'Deny' + 'Disabled' + 'AuditIfNotExists' +]) @sys.description('Effect type for sovereign policy definitions') param parSovereigntyPolicyEffect string = 'Deny' @@ -528,11 +555,11 @@ module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assig value: !(empty(parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations)) ? parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations : array(deployment().location) } effect: { - value: parSovereigntyPolicyEffect + value: parTopLevelSovereigntyGlobalPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignGlobal.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parTopLevelPolicyAssignmentSovereigntyGlobal.parTopLevelSovereigntyGlobalPoliciesEnable ? 'Default' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } @@ -1567,11 +1594,11 @@ module modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf '../../../ value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } effect: { - value: parSovereigntyPolicyEffect + value: parSovereigntyConfidentialPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parLandingZoneMgConfidentialEnable ? 'Default' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } @@ -1603,7 +1630,7 @@ module modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf '../../../po } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parLandingZoneMgConfidentialEnable ? 'Default' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } From 6c7200eec3485f6c1cc99703f11abf10dc94f244 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 10:59:48 -0800 Subject: [PATCH 15/37] Update alzDefaultPolicyAssignments.bicep.md Update for new policy effects and parDisableSlzDefaultPolicies parameters. --- .../alzDefaultPolicyAssignments.bicep.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 6b4b54115..f0ce89db8 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -22,10 +22,13 @@ parDdosProtectionPlanId | No | ID of the DdosProtectionPlan which will be parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group. parPrivateDnsZonesNamesToAuditInCorp | No | Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules. parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. +parDisableSlzDefaultPolicies | No | Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce. parVmBackupExclusionTagName | No | Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry +parTopLevelSovereigntyGlobalPolicyEffect | No | Effect type for sovereign global policy definitions +parSovereigntyConfidentialPolicyEffect | No | Effect type for sovereign confidential policy definitions parSovereigntyPolicyEffect | No | Effect type for sovereign policy definitions ### parTopLevelManagementGroupPrefix @@ -157,6 +160,14 @@ Set Enforcement Mode of all default Policies assignments to Do Not Enforce. - Default value: `False` +### parDisableSlzDefaultPolicies + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce. + +- Default value: `False` + ### parVmBackupExclusionTagName ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -183,6 +194,22 @@ Set Parameter to true to Opt-out of deployment telemetry - Default value: `False` +### parTopLevelSovereigntyGlobalPolicyEffec + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Effect type for sovereign global policy definitions + +- Default value: `Deny` + +### parSovereigntyConfidentialPolicyEffect + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Effect type for sovereign confidential policy definitions + +- Default value: `Deny` + ### parSovereigntyPolicyEffect ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -258,6 +285,9 @@ Effect type for sovereign policy definitions "parDisableAlzDefaultPolicies": { "value": false }, + "parDisableSlzDefaultPolicies": { + "value": false + }, "parVmBackupExclusionTagName": { "value": "" }, @@ -270,6 +300,12 @@ Effect type for sovereign policy definitions "parTelemetryOptOut": { "value": false }, + "parTopLevelSovereigntyGlobalPolicyEffect": { + "value": "Deny" + }, + "parSovereigntyConfidentialPolicyEffect": { + "value": "Deny" + }, "parSovereigntyPolicyEffect": { "value": "Deny" } From 1879d8d754a46f85d84c90aa88c2d77c5b44ebfa Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:08:10 -0800 Subject: [PATCH 16/37] Update alzDefaultPolicyAssignments.bicep.md Add allowed values in the markdown file. --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index f0ce89db8..94f9da947 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -194,13 +194,14 @@ Set Parameter to true to Opt-out of deployment telemetry - Default value: `False` -### parTopLevelSovereigntyGlobalPolicyEffec +### parTopLevelSovereigntyGlobalPolicyEffect ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) Effect type for sovereign global policy definitions - Default value: `Deny` +- Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` ### parSovereigntyConfidentialPolicyEffect @@ -209,6 +210,7 @@ Effect type for sovereign global policy definitions Effect type for sovereign confidential policy definitions - Default value: `Deny` +- Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` ### parSovereigntyPolicyEffect @@ -217,6 +219,7 @@ Effect type for sovereign confidential policy definitions Effect type for sovereign policy definitions - Default value: `Deny` +- Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` ## Snippets From ba47cdf41cb50812da17bf535be60053ff0608c5 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:14:33 -0800 Subject: [PATCH 17/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 94f9da947..839c3125a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -200,8 +200,8 @@ Set Parameter to true to Opt-out of deployment telemetry Effect type for sovereign global policy definitions -- Default value: `Deny` - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` +- Default value: `Deny` ### parSovereigntyConfidentialPolicyEffect @@ -209,8 +209,8 @@ Effect type for sovereign global policy definitions Effect type for sovereign confidential policy definitions -- Default value: `Deny` - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` +- Default value: `Deny` ### parSovereigntyPolicyEffect @@ -218,8 +218,8 @@ Effect type for sovereign confidential policy definitions Effect type for sovereign policy definitions -- Default value: `Deny` - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` +- Default value: `Deny` ## Snippets From 32ef2e09005258847d2727d8819b5ab559115142 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:27:57 -0800 Subject: [PATCH 18/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 839c3125a..5c42e4e29 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -201,7 +201,6 @@ Set Parameter to true to Opt-out of deployment telemetry Effect type for sovereign global policy definitions - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` -- Default value: `Deny` ### parSovereigntyConfidentialPolicyEffect @@ -210,7 +209,6 @@ Effect type for sovereign global policy definitions Effect type for sovereign confidential policy definitions - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` -- Default value: `Deny` ### parSovereigntyPolicyEffect @@ -219,7 +217,6 @@ Effect type for sovereign confidential policy definitions Effect type for sovereign policy definitions - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` -- Default value: `Deny` ## Snippets From 47d5e5a51b332deff27232c90af3c606564cd7d0 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:42:56 -0800 Subject: [PATCH 19/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 5c42e4e29..94f9da947 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -200,6 +200,7 @@ Set Parameter to true to Opt-out of deployment telemetry Effect type for sovereign global policy definitions +- Default value: `Deny` - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` ### parSovereigntyConfidentialPolicyEffect @@ -208,6 +209,7 @@ Effect type for sovereign global policy definitions Effect type for sovereign confidential policy definitions +- Default value: `Deny` - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` ### parSovereigntyPolicyEffect @@ -216,6 +218,7 @@ Effect type for sovereign confidential policy definitions Effect type for sovereign policy definitions +- Default value: `Deny` - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` ## Snippets From fa19f37d252f051d5ee836c02e7768bb2de16058 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:47:11 -0800 Subject: [PATCH 20/37] Update alzDefaultPolicyAssignments.bicep.md Adding blank line. --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 94f9da947..73326964c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -201,6 +201,7 @@ Set Parameter to true to Opt-out of deployment telemetry Effect type for sovereign global policy definitions - Default value: `Deny` + - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` ### parSovereigntyConfidentialPolicyEffect @@ -210,6 +211,7 @@ Effect type for sovereign global policy definitions Effect type for sovereign confidential policy definitions - Default value: `Deny` + - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` ### parSovereigntyPolicyEffect @@ -219,6 +221,7 @@ Effect type for sovereign confidential policy definitions Effect type for sovereign policy definitions - Default value: `Deny` + - Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` ## Snippets From 3cf99ccc5817bd13dcb0d562bfc64f0177edbde7 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Mon, 26 Feb 2024 18:12:19 -0600 Subject: [PATCH 21/37] Add effect properties to UDT and remove disable slz policy param --- .../alzDefaultPolicyAssignments.bicep | 52 ++++++------------- ...faultPolicyAssignments.parameters.all.json | 6 ++- 2 files changed, 20 insertions(+), 38 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index c093ba446..5d9f42779 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -7,6 +7,9 @@ type policyAssignmentSovereigntyGlobalOptionsType = { @sys.description('The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed.') parListOfAllowedLocations: string[] + + @sys.description('The effect type for the Sovereignty Baseline - Global Policies Assignment.') + parTopLevelSovereigntyGlobalPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') } type policyAssignmentSovereigntyConfidentialOptionsType = { @@ -18,6 +21,9 @@ type policyAssignmentSovereigntyConfidentialOptionsType = { @sys.description('The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs.') parAllowedVirtualMachineSKUs: string[] + + @sys.description('The effect type for the Sovereignty Baseline - Confidential Policies Assignment.') + parSovereigntyConfidentialPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') } @sys.description('Prefix used for the management group hierarchy.') @@ -33,11 +39,13 @@ param parTopLevelManagementGroupSuffix string = '' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. +- `parTopLevelSovereigntyGlobalPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. ''') param parTopLevelPolicyAssignmentSovereigntyGlobal policyAssignmentSovereigntyGlobalOptionsType = { parTopLevelSovereigntyGlobalPoliciesEnable: false parListOfAllowedLocations: [] + parTopLevelSovereigntyGlobalPolicyEffect: 'Deny' } @sys.description('''Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' @@ -45,12 +53,14 @@ param parTopLevelPolicyAssignmentSovereigntyGlobal policyAssignmentSovereigntyGl - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. +- `parSovereigntyConfidentialPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. ''') param parPolicyAssignmentSovereigntyConfidential policyAssignmentSovereigntyConfidentialOptionsType = { parAllowedResourceTypes: [] parListOfAllowedLocations: [] parAllowedVirtualMachineSKUs: [] + parSovereigntyConfidentialPolicyEffect: 'Deny' } @sys.description('Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.') @@ -89,9 +99,6 @@ param parPrivateDnsZonesNamesToAuditInCorp array = [] @sys.description('Set Enforcement Mode of all default Policies assignments to Do Not Enforce.') param parDisableAlzDefaultPolicies bool = false -@sys.description('Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce.') -param parDisableSlzDefaultPolicies bool = false - @sys.description('Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter.') param parVmBackupExclusionTagName string = '' @@ -104,33 +111,6 @@ param parExcludedPolicyAssignments array = [] @sys.description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false -@allowed([ - 'Audit' - 'Deny' - 'Disabled' - 'AuditIfNotExists' -]) -@sys.description('Effect type for sovereign global policy definitions') -param parTopLevelSovereigntyGlobalPolicyEffect string = 'Deny' - -@allowed([ - 'Audit' - 'Deny' - 'Disabled' - 'AuditIfNotExists' -]) -@sys.description('Effect type for sovereign confidential policy definitions') -param parSovereigntyConfidentialPolicyEffect string = 'Deny' - -@allowed([ - 'Audit' - 'Deny' - 'Disabled' - 'AuditIfNotExists' -]) -@sys.description('Effect type for sovereign policy definitions') -param parSovereigntyPolicyEffect string = 'Deny' - var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceId, '/')[8] var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceResourceId, '/')[4] @@ -555,11 +535,11 @@ module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assig value: !(empty(parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations)) ? parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations : array(deployment().location) } effect: { - value: parTopLevelSovereigntyGlobalPolicyEffect + value: parTopLevelPolicyAssignmentSovereigntyGlobal.parTopLevelSovereigntyGlobalPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignGlobal.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } @@ -1594,11 +1574,11 @@ module modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf '../../../ value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } effect: { - value: parSovereigntyConfidentialPolicyEffect + value: parPolicyAssignmentSovereigntyConfidential.parSovereigntyConfidentialPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } @@ -1626,11 +1606,11 @@ module modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf '../../../po value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } effect: { - value: parSovereigntyPolicyEffect + value: parPolicyAssignmentSovereigntyConfidential.parSovereigntyConfidentialPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index 1749f927d..f7b07881b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -11,7 +11,8 @@ "parTopLevelPolicyAssignmentSovereigntyGlobal": { "value": { "parTopLevelSovereigntyGlobalPoliciesEnable": false, - "parListOfAllowedLocations": [] + "parListOfAllowedLocations": [], + "parTopLevelSovereigntyGlobalPolicyEffect": "Deny" } }, "parPlatformMgAlzDefaultsEnable": { @@ -27,7 +28,8 @@ "value": { "parAllowedResourceTypes": [], "parListOfAllowedLocations": [], - "parAllowedVirtualMachineSKUs": [] + "parAllowedVirtualMachineSKUs": [], + "parSovereigntyConfidentialPolicyEffect": "Deny" } }, "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { From ce00d222f51f52a71dbede9c6a56d8e7c8992cad Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Mon, 26 Feb 2024 18:17:26 -0600 Subject: [PATCH 22/37] Simplify sov effect policy property names --- .../alzDefaultPolicyAssignments.bicep | 18 +++++++++--------- ...efaultPolicyAssignments.parameters.all.json | 4 ++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 5d9f42779..c4637bc65 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -9,7 +9,7 @@ type policyAssignmentSovereigntyGlobalOptionsType = { parListOfAllowedLocations: string[] @sys.description('The effect type for the Sovereignty Baseline - Global Policies Assignment.') - parTopLevelSovereigntyGlobalPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') + parPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') } type policyAssignmentSovereigntyConfidentialOptionsType = { @@ -23,7 +23,7 @@ type policyAssignmentSovereigntyConfidentialOptionsType = { parAllowedVirtualMachineSKUs: string[] @sys.description('The effect type for the Sovereignty Baseline - Confidential Policies Assignment.') - parSovereigntyConfidentialPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') + parPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') } @sys.description('Prefix used for the management group hierarchy.') @@ -39,13 +39,13 @@ param parTopLevelManagementGroupSuffix string = '' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. -- `parTopLevelSovereigntyGlobalPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. +- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. ''') param parTopLevelPolicyAssignmentSovereigntyGlobal policyAssignmentSovereigntyGlobalOptionsType = { parTopLevelSovereigntyGlobalPoliciesEnable: false parListOfAllowedLocations: [] - parTopLevelSovereigntyGlobalPolicyEffect: 'Deny' + parPolicyEffect: 'Deny' } @sys.description('''Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' @@ -53,14 +53,14 @@ param parTopLevelPolicyAssignmentSovereigntyGlobal policyAssignmentSovereigntyGl - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. -- `parSovereigntyConfidentialPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. ''') param parPolicyAssignmentSovereigntyConfidential policyAssignmentSovereigntyConfidentialOptionsType = { parAllowedResourceTypes: [] parListOfAllowedLocations: [] parAllowedVirtualMachineSKUs: [] - parSovereigntyConfidentialPolicyEffect: 'Deny' + parPolicyEffect: 'Deny' } @sys.description('Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.') @@ -535,7 +535,7 @@ module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assig value: !(empty(parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations)) ? parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations : array(deployment().location) } effect: { - value: parTopLevelPolicyAssignmentSovereigntyGlobal.parTopLevelSovereigntyGlobalPolicyEffect + value: parTopLevelPolicyAssignmentSovereigntyGlobal.parPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignGlobal.libDefinition.identity.type @@ -1574,7 +1574,7 @@ module modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf '../../../ value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } effect: { - value: parPolicyAssignmentSovereigntyConfidential.parSovereigntyConfidentialPolicyEffect + value: parPolicyAssignmentSovereigntyConfidential.parPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type @@ -1606,7 +1606,7 @@ module modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf '../../../po value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value } effect: { - value: parPolicyAssignmentSovereigntyConfidential.parSovereigntyConfidentialPolicyEffect + value: parPolicyAssignmentSovereigntyConfidential.parPolicyEffect } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index f7b07881b..6f500b846 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -12,7 +12,7 @@ "value": { "parTopLevelSovereigntyGlobalPoliciesEnable": false, "parListOfAllowedLocations": [], - "parTopLevelSovereigntyGlobalPolicyEffect": "Deny" + "parPolicyEffect": "Deny" } }, "parPlatformMgAlzDefaultsEnable": { @@ -29,7 +29,7 @@ "parAllowedResourceTypes": [], "parListOfAllowedLocations": [], "parAllowedVirtualMachineSKUs": [], - "parSovereigntyConfidentialPolicyEffect": "Deny" + "parPolicyEffect": "Deny" } }, "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { From 1171edec7ea4cb99d29ad2a9cec91ed50dc6c2b8 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 22:28:01 -0800 Subject: [PATCH 23/37] Update alzDefaultPolicyAssignments.bicep.md Update parameters markdown. --- .../alzDefaultPolicyAssignments.bicep.md | 34 +++---------------- 1 file changed, 4 insertions(+), 30 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 73326964c..5a0b1bd99 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -27,8 +27,6 @@ parVmBackupExclusionTagName | No | Name of the tag to use for excluding VM parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry -parTopLevelSovereigntyGlobalPolicyEffect | No | Effect type for sovereign global policy definitions -parSovereigntyConfidentialPolicyEffect | No | Effect type for sovereign confidential policy definitions parSovereigntyPolicyEffect | No | Effect type for sovereign policy definitions ### parTopLevelManagementGroupPrefix @@ -194,26 +192,6 @@ Set Parameter to true to Opt-out of deployment telemetry - Default value: `False` -### parTopLevelSovereigntyGlobalPolicyEffect - -![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) - -Effect type for sovereign global policy definitions - -- Default value: `Deny` - -- Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` - -### parSovereigntyConfidentialPolicyEffect - -![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) - -Effect type for sovereign confidential policy definitions - -- Default value: `Deny` - -- Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` - ### parSovereigntyPolicyEffect ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -245,14 +223,16 @@ Effect type for sovereign policy definitions "parTopLevelPolicyAssignmentSovereigntyGlobal": { "value": { "parTopLevelSovereigntyGlobalPoliciesEnable": false, - "parListOfAllowedLocations": [] + "parListOfAllowedLocations": [], + "parPolicyEffect": "Deny" } }, "parPolicyAssignmentSovereigntyConfidential": { "value": { "parAllowedResourceTypes": [], "parListOfAllowedLocations": [], - "parAllowedVirtualMachineSKUs": [] + "parAllowedVirtualMachineSKUs": [], + "parPolicyEffect": "Deny" } }, "parPlatformMgAlzDefaultsEnable": { @@ -306,12 +286,6 @@ Effect type for sovereign policy definitions "parTelemetryOptOut": { "value": false }, - "parTopLevelSovereigntyGlobalPolicyEffect": { - "value": "Deny" - }, - "parSovereigntyConfidentialPolicyEffect": { - "value": "Deny" - }, "parSovereigntyPolicyEffect": { "value": "Deny" } From bff6a8ce3f938f4453bef5ae9d9510c90cb0e0d2 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 22:42:19 -0800 Subject: [PATCH 24/37] Update alzDefaultPolicyAssignments.bicep.md --- .../alzDefaultPolicyAssignments.bicep.md | 24 +++++-------------- 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 5a0b1bd99..0b2d6946b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -8,8 +8,8 @@ Parameter name | Required | Description -------------- | -------- | ----------- parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix -parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. +parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups @@ -27,7 +27,6 @@ parVmBackupExclusionTagName | No | Name of the tag to use for excluding VM parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry -parSovereigntyPolicyEffect | No | Effect type for sovereign policy definitions ### parTopLevelManagementGroupPrefix @@ -51,10 +50,11 @@ Object used to assign Sovereignty Baseline - Global Policies to the intermediate - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. +- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -- Default value: `@{parTopLevelSovereigntyGlobalPoliciesEnable=False; parListOfAllowedLocations=System.Object[]}` +- Default value: `@{parTopLevelSovereigntyGlobalPoliciesEnable=False; parListOfAllowedLocations=System.Object[]; parPolicyEffect=Deny}` ### parPolicyAssignmentSovereigntyConfidential @@ -65,10 +65,11 @@ Object used to assign Sovereignty Baseline - Confidential Policies to the confid - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. +- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. -- Default value: `@{parAllowedResourceTypes=System.Object[]; parListOfAllowedLocations=System.Object[]; parAllowedVirtualMachineSKUs=System.Object[]}` +- Default value: `@{parAllowedResourceTypes=System.Object[]; parListOfAllowedLocations=System.Object[]; parAllowedVirtualMachineSKUs=System.Object[]; parPolicyEffect=Deny}` ### parPlatformMgAlzDefaultsEnable @@ -192,16 +193,6 @@ Set Parameter to true to Opt-out of deployment telemetry - Default value: `False` -### parSovereigntyPolicyEffect - -![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) - -Effect type for sovereign policy definitions - -- Default value: `Deny` - -- Allowed values: `Audit`, `Deny`, `Disabled`, `AuditIfNotExists` - ## Snippets ### Parameter file @@ -285,9 +276,6 @@ Effect type for sovereign policy definitions }, "parTelemetryOptOut": { "value": false - }, - "parSovereigntyPolicyEffect": { - "value": "Deny" } } } From 914ab84c7588a5db62a739f5ab9cc781d16624ec Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 22:55:12 -0800 Subject: [PATCH 25/37] Update alzDefaultPolicyAssignments.bicep Add parDisableSlzDefaultPolicies. --- .../alzDefaults/alzDefaultPolicyAssignments.bicep | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index c4637bc65..b61d46e50 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -99,6 +99,9 @@ param parPrivateDnsZonesNamesToAuditInCorp array = [] @sys.description('Set Enforcement Mode of all default Policies assignments to Do Not Enforce.') param parDisableAlzDefaultPolicies bool = false +@sys.description('Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce.') +param parDisableSlzDefaultPolicies bool = false + @sys.description('Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter.') param parVmBackupExclusionTagName string = '' @@ -539,7 +542,7 @@ module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assig } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignGlobal.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } @@ -1578,7 +1581,7 @@ module modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf '../../../ } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } @@ -1610,7 +1613,7 @@ module modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf '../../../po } } parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: parDisableSlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } From acde14957a1e0435b0ac80fd90c3d9e0c1a96f2a Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 23:03:20 -0800 Subject: [PATCH 26/37] Update alzDefaultPolicyAssignments.bicep.md Update the markdown. From cd215e0dba0d7860064cf4766012ddfc6407c2a8 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 23:16:33 -0800 Subject: [PATCH 27/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 0b2d6946b..ea18da6b4 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -8,7 +8,7 @@ Parameter name | Required | Description -------------- | -------- | ----------- parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix -parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. +parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. From 818e2128d375e9878678e67fdca66c94a4627493 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 23:26:19 -0800 Subject: [PATCH 28/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index ea18da6b4..d91ca712c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -9,7 +9,7 @@ Parameter name | Required | Description parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups From 4dcd0f7ae894ee44233818e17a3faf3ae39bdc89 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 23:33:40 -0800 Subject: [PATCH 29/37] Update alzDefaultPolicyAssignments.bicep.md Add extra spaces at the end of line. --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index d91ca712c..12f8fbaf9 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -9,7 +9,7 @@ Parameter name | Required | Description parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups From 8d1ab5ec3c4cd9e108988b64412d2742db58b0f3 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 23:39:31 -0800 Subject: [PATCH 30/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 12f8fbaf9..ea18da6b4 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -9,7 +9,7 @@ Parameter name | Required | Description parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups From d038a74d8379a43350ee79824af2eea0b17b80e4 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 23:44:54 -0800 Subject: [PATCH 31/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index ea18da6b4..d91ca712c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -9,7 +9,7 @@ Parameter name | Required | Description parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups From 91d434c2ea6a8f85a0c804f0415c2b3778188e19 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 23:49:21 -0800 Subject: [PATCH 32/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index d91ca712c..ea18da6b4 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -9,7 +9,7 @@ Parameter name | Required | Description parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups From 40786fdf3de0eed35fe5d26da12aae83186b1b35 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Mon, 26 Feb 2024 23:55:55 -0800 Subject: [PATCH 33/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index ea18da6b4..f85b1b422 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -9,7 +9,7 @@ Parameter name | Required | Description parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups From aaddd139a48583e7a6905f7754e8a77a0c707156 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Tue, 27 Feb 2024 00:01:32 -0800 Subject: [PATCH 34/37] Update alzDefaultPolicyAssignments.bicep --- .../assignments/alzDefaults/alzDefaultPolicyAssignments.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index b61d46e50..3b2929be5 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -37,7 +37,7 @@ param parTopLevelManagementGroupSuffix string = '' @sys.description('''Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' -- `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. +- `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. From 7b89639f4432d6f4ab4f67617386c3bd2f01ce83 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Tue, 27 Feb 2024 00:03:03 -0800 Subject: [PATCH 35/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index f85b1b422..340310c8d 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -8,8 +8,8 @@ Parameter name | Required | Description -------------- | -------- | ----------- parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix -parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups From dff733bd39b7561f6e284aec691d44efb4efe471 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Tue, 27 Feb 2024 00:09:45 -0800 Subject: [PATCH 36/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 340310c8d..12dadb0f2 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -9,7 +9,7 @@ Parameter name | Required | Description parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups From 273c44ca35dd462b47d7da1c4f49ae8df5225257 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Tue, 27 Feb 2024 00:26:25 -0800 Subject: [PATCH 37/37] Update alzDefaultPolicyAssignments.bicep.md --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 12dadb0f2..b0981255b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -9,7 +9,7 @@ Parameter name | Required | Description parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups @@ -48,7 +48,7 @@ Optional suffix for the management group hierarchy. This suffix will be appended Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' -- `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. +- `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment.