From df214b4b1ba151be55a36ade4cdfed38c6639ab6 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 23 May 2024 22:12:36 -0500 Subject: [PATCH 01/50] Added UMI resource --- infra-as-code/bicep/modules/logging/README.md | 2 ++ .../logging/generateddocs/logging.bicep.md | 10 ++++--- .../bicep/modules/logging/logging.bicep | 27 ++++++++++++++++++- .../parameters/logging.parameters.all.json | 9 +++++++ .../parameters/mc-logging.parameters.all.json | 9 +++++++ 5 files changed, 52 insertions(+), 5 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/README.md b/infra-as-code/bicep/modules/logging/README.md index 5ba38b7a9..da2590d19 100644 --- a/infra-as-code/bicep/modules/logging/README.md +++ b/infra-as-code/bicep/modules/logging/README.md @@ -115,7 +115,9 @@ New-AzResourceGroup ` New-AzResourceGroupDeployment @inputObject ``` + OR + ```powershell # For Azure China regions # Set Platform management subscripion ID as the the current subscription diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index abe480451..06a27429a 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -6,21 +6,23 @@ ALZ Bicep Module used to set up Logging Parameter name | Required | Description -------------- | -------- | ----------- -parGlobalResourceLock | No | Global Resource Lock Configuration used for all resources deployed in this module. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parGlobalResourceLock | No | Global Resource Lock Configuration used for all resources deployed in this module. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceName | No | Log Analytics Workspace name. parLogAnalyticsWorkspaceLocation | No | Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. parLogAnalyticsWorkspaceSkuName | No | Log Analytics Workspace sku name. parLogAnalyticsWorkspaceCapacityReservationLevel | No | Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation. parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. -parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. -parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parUserAssignedManagedIdentityName | No | User Assigned Managed Identity name. +parUserAssignedManagedIdentityLock | No | Resource Lock Configuration for User Assigned Managed Identity. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. parAutomationAccountName | No | Automation account name. parAutomationAccountLocation | No | Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. parAutomationAccountUseManagedIdentity | No | Automation Account - use managed identity. parAutomationAccountPublicNetworkAccess | No | Automation Account - Public network access. -parAutomationAccountLock | No | Resource Lock Configuration for Automation Account. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parAutomationAccountLock | No | Resource Lock Configuration for Automation Account. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parTags | No | Tags you would like to be applied to all resources in this module. parAutomationAccountTags | No | Tags you would like to be applied to Automation Account. parLogAnalyticsWorkspaceTags | No | Tags you would like to be applied to Log Analytics Workspace. diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 9dcc8a530..ccd45d20a 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -109,12 +109,22 @@ param parLogAnalyticsWorkspaceSolutionsLock lockType = { notes: 'This lock was created by the ALZ Bicep Logging Module.' } +@sys.description('Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure.') +param parUserAssignedManagedIdentityName string = 'alz-logging-mi' + +@sys.description('User Assigned Managed Identity location.') +param parUserAssignedManagedIdentityLocation string = resourceGroup().location + +param parUserAssignedManagedIdentityLock lockType = { + kind: 'None' + notes: 'This lock was created by the ALZ Bicep Logging Module.' +} + @sys.description('Log Analytics Workspace should be linked with the automation account.') param parLogAnalyticsWorkspaceLinkAutomationAccount bool = true @sys.description('Automation account name.') param parAutomationAccountName string = 'alz-automation-account' - @sys.description('Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings.') param parAutomationAccountLocation string = resourceGroup().location @@ -156,6 +166,21 @@ param parTelemetryOptOut bool = false // Customer Usage Attribution Id var varCuaid = 'f8087c67-cc41-46b2-994d-66e4b661860d' +resource resUserAssignedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { + name: parUserAssignedManagedIdentityName + location: parUserAssignedManagedIdentityLocation +} + +// Create a resource lock for the user assigned managed identity if parGlobalResourceLock.kind != 'None' or if parUserAssignedManagedIdentityLock.kind != 'None' +resource resUserAssignedIdentityLock 'Microsoft.Authorization/locks@2020-05-01' = if (parUserAssignedManagedIdentityLock.kind != 'None' || parGlobalResourceLock.kind != 'None') { + scope: resUserAssignedManagedIdentity + name: parUserAssignedManagedIdentityLock.?name ?? '${resAutomationAccount.name}-lock' + properties: { + level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parUserAssignedManagedIdentityLock.kind + notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parUserAssignedManagedIdentityLock.?notes + } +} + resource resAutomationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { name: parAutomationAccountName location: parAutomationAccountLocation diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json index 73fe7eb16..883fb7408 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -31,6 +31,9 @@ "VMInsights" ] }, + "parUserAssignedManagedIdentityName": { + "value": "alz-umi-identity" + }, "parLogAnalyticsWorkspaceLinkAutomationAccount": { "value": true }, @@ -66,6 +69,12 @@ "notes": "This lock was created by the ALZ Bicep Logging Module." } }, + "parUserAssignedManagedIdentityLock":{ + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } + }, "parAutomationAccountLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json index 360454db1..83868077e 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -28,6 +28,9 @@ "VMInsights" ] }, + "parUserAssignedManagedIdentityName": { + "value": "alz-umi-identity" + }, "parLogAnalyticsWorkspaceLinkAutomationAccount": { "value": true }, @@ -60,6 +63,12 @@ "notes": "This lock was created by the ALZ Bicep Logging Module." } }, + "parUserAssignedManagedIdentityLock":{ + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } + }, "parAutomationAccountLock": { "value": { "kind": "None", From 64ef97673edbf97d1a6809437940238515e08380 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 23 May 2024 23:43:49 -0500 Subject: [PATCH 02/50] Add data collection rule --- .../logging/generateddocs/logging.bicep.md | 4 +- .../bicep/modules/logging/logging.bicep | 84 ++++++++++++++++++- .../parameters/logging.parameters.all.json | 9 ++ .../parameters/mc-logging.parameters.all.json | 9 ++ 4 files changed, 104 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 06a27429a..808c73384 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -15,7 +15,9 @@ parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log re parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. -parUserAssignedManagedIdentityName | No | User Assigned Managed Identity name. +parDataCollectionRuleName | No | Name of the Data Collection Rule for Azure Monitoring Agent integration. +parDataCollectionRuleLock | No | Resource Lock Configuration for Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parUserAssignedManagedIdentityName | No | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. parUserAssignedManagedIdentityLock | No | Resource Lock Configuration for User Assigned Managed Identity. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. parAutomationAccountName | No | Automation account name. diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index ccd45d20a..e8d4b66af 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -29,6 +29,20 @@ param parLogAnalyticsWorkspaceName string = 'alz-log-analytics' @sys.description('Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings.') param parLogAnalyticsWorkspaceLocation string = resourceGroup().location +@sys.description('Data Collection Rule name for AMA integration.') +param parDataCollectionRuleName string = 'ama-vmi-default-perfAndda-dcr' + +@sys.description('''Resource Lock Configuration for Log Analytics Workspace. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + +''') +param parDataCollectionRuleLock lockType = { + kind: 'None' + notes: 'This lock was created by the ALZ Bicep Logging Module.' +} + @allowed([ 'CapacityReservation' 'Free' @@ -174,7 +188,7 @@ resource resUserAssignedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedI // Create a resource lock for the user assigned managed identity if parGlobalResourceLock.kind != 'None' or if parUserAssignedManagedIdentityLock.kind != 'None' resource resUserAssignedIdentityLock 'Microsoft.Authorization/locks@2020-05-01' = if (parUserAssignedManagedIdentityLock.kind != 'None' || parGlobalResourceLock.kind != 'None') { scope: resUserAssignedManagedIdentity - name: parUserAssignedManagedIdentityLock.?name ?? '${resAutomationAccount.name}-lock' + name: parUserAssignedManagedIdentityLock.?name ?? '${resUserAssignedManagedIdentity.name}-lock' properties: { level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parUserAssignedManagedIdentityLock.kind notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parUserAssignedManagedIdentityLock.?notes @@ -232,6 +246,74 @@ resource resLogAnalyticsWorkspaceLock 'Microsoft.Authorization/locks@2020-05-01' } } +resource resDataCollectionRule 'Microsoft.Insights/dataCollectionRules@2023-03-11' = { + name: parDataCollectionRuleName + location: parLogAnalyticsWorkspaceLocation + properties: { + description: 'Data collection rule for VM Insights' + dataSources: { + performanceCounters: [ + { + name: 'VMInsightsPerfCounters' + streams: [ + 'Microsoft-InsightsMetrics' + ] + counterSpecifiers: [ + '\\VMInsights\\DetailedMetrics' + ] + samplingFrequencyInSeconds: 60 + } + ] + extensions: [ + { + streams: [ + 'Microsoft-ServiceMap' + ] + extensionName: 'DependencyAgent' + extensionSettings: {} + name: 'DependencyAgentDataSource' + } + ] + } + destinations: { + logAnalytics: [ + { + workspaceResourceId: resLogAnalyticsWorkspace.id + name: 'VMInsightsPerf-Logs-Dest' + } + ] + } + dataFlows: [ + { + streams: [ + 'Microsoft-InsightsMetrics' + ] + destinations: [ + 'VMInsightsPerf-Logs-Dest' + ] + } + { + streams: [ + 'Microsoft-ServiceMap' + ] + destinations: [ + 'VMInsightsPerf-Logs-Dest' + ] + } + ] + } +} + +// Create a resource lock for the Data Collection Rule if parGlobalResourceLock.kind != 'None' or if parDataCollectionRuleLock.kind != 'None' +resource resDataCollectionRuleLock 'Microsoft.Authorization/locks@2020-05-01' = if (parDataCollectionRuleLock.kind != 'None' || parGlobalResourceLock.kind != 'None') { + scope: resDataCollectionRule + name: parDataCollectionRuleLock.?name ?? '${resDataCollectionRule.name}-lock' + properties: { + level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parDataCollectionRuleLock.kind + notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parDataCollectionRuleLock.?notes + } +} + resource resLogAnalyticsWorkspaceSolutions 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = [for solution in parLogAnalyticsWorkspaceSolutions: { name: '${solution}(${resLogAnalyticsWorkspace.name})' location: parLogAnalyticsWorkspaceLocation diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json index 883fb7408..ed51e29c1 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -31,6 +31,9 @@ "VMInsights" ] }, + "parDataCollectionRuleName": { + "value": "ama-vmi-default-perfAndda-dcr" + }, "parUserAssignedManagedIdentityName": { "value": "alz-umi-identity" }, @@ -92,6 +95,12 @@ "kind": "None", "notes": "This lock was created by the ALZ Bicep Logging Module." } + }, + "parDataCollectionRuleLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } } } } diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json index 83868077e..4a0561ebd 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -28,6 +28,9 @@ "VMInsights" ] }, + "parDataCollectionRuleName": { + "value": "ama-vmi-default-perfAndda-dcr" + }, "parUserAssignedManagedIdentityName": { "value": "alz-umi-identity" }, @@ -86,6 +89,12 @@ "kind": "None", "notes": "This lock was created by the ALZ Bicep Logging Module." } + }, + "parDataCollectionRuleLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } } } } From 5b03e347cfa5171b4c33d63f98c5d17cd3abfde4 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 28 May 2024 13:51:44 -0500 Subject: [PATCH 03/50] Update vm insights dcr name --- .../logging/generateddocs/logging.bicep.md | 4 ++-- .../bicep/modules/logging/logging.bicep | 20 +++++++++---------- .../parameters/logging.parameters.all.json | 4 ++-- .../parameters/mc-logging.parameters.all.json | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 808c73384..87798ef1f 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -15,8 +15,8 @@ parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log re parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. -parDataCollectionRuleName | No | Name of the Data Collection Rule for Azure Monitoring Agent integration. -parDataCollectionRuleLock | No | Resource Lock Configuration for Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleVMInsightsName | No | Name of the Data Collection Rule for Azure Monitoring Agent integration. +parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parUserAssignedManagedIdentityName | No | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. parUserAssignedManagedIdentityLock | No | Resource Lock Configuration for User Assigned Managed Identity. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index e8d4b66af..3b8a69870 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -30,7 +30,7 @@ param parLogAnalyticsWorkspaceName string = 'alz-log-analytics' param parLogAnalyticsWorkspaceLocation string = resourceGroup().location @sys.description('Data Collection Rule name for AMA integration.') -param parDataCollectionRuleName string = 'ama-vmi-default-perfAndda-dcr' +param parDataCollectionRuleVMInsightsName string = 'ama-vmi-default-perfAndda-dcr' @sys.description('''Resource Lock Configuration for Log Analytics Workspace. @@ -38,7 +38,7 @@ param parDataCollectionRuleName string = 'ama-vmi-default-perfAndda-dcr' - `notes` - Notes about this lock. ''') -param parDataCollectionRuleLock lockType = { +param parDataCollectionRuleVMInsightsLock lockType = { kind: 'None' notes: 'This lock was created by the ALZ Bicep Logging Module.' } @@ -246,8 +246,8 @@ resource resLogAnalyticsWorkspaceLock 'Microsoft.Authorization/locks@2020-05-01' } } -resource resDataCollectionRule 'Microsoft.Insights/dataCollectionRules@2023-03-11' = { - name: parDataCollectionRuleName +resource resDataCollectionRuleVMInsights 'Microsoft.Insights/dataCollectionRules@2023-03-11' = { + name: parDataCollectionRuleVMInsightsName location: parLogAnalyticsWorkspaceLocation properties: { description: 'Data collection rule for VM Insights' @@ -304,13 +304,13 @@ resource resDataCollectionRule 'Microsoft.Insights/dataCollectionRules@2023-03-1 } } -// Create a resource lock for the Data Collection Rule if parGlobalResourceLock.kind != 'None' or if parDataCollectionRuleLock.kind != 'None' -resource resDataCollectionRuleLock 'Microsoft.Authorization/locks@2020-05-01' = if (parDataCollectionRuleLock.kind != 'None' || parGlobalResourceLock.kind != 'None') { - scope: resDataCollectionRule - name: parDataCollectionRuleLock.?name ?? '${resDataCollectionRule.name}-lock' +// Create a resource lock for the Data Collection Rule if parGlobalResourceLock.kind != 'None' or if parDataCollectionRuleVMInsightsLock.kind != 'None' +resource resDataCollectionRuleVMInsightsLock 'Microsoft.Authorization/locks@2020-05-01' = if (parDataCollectionRuleVMInsightsLock.kind != 'None' || parGlobalResourceLock.kind != 'None') { + scope: resDataCollectionRuleVMInsights + name: parDataCollectionRuleVMInsightsLock.?name ?? '${resDataCollectionRuleVMInsights.name}-lock' properties: { - level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parDataCollectionRuleLock.kind - notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parDataCollectionRuleLock.?notes + level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parDataCollectionRuleVMInsightsLock.kind + notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parDataCollectionRuleVMInsightsLock.?notes } } diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json index ed51e29c1..b96d16dbe 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -31,7 +31,7 @@ "VMInsights" ] }, - "parDataCollectionRuleName": { + "parDataCollectionRuleVMInsightsName": { "value": "ama-vmi-default-perfAndda-dcr" }, "parUserAssignedManagedIdentityName": { @@ -96,7 +96,7 @@ "notes": "This lock was created by the ALZ Bicep Logging Module." } }, - "parDataCollectionRuleLock": { + "parDataCollectionRuleVMInsightsLock": { "value": { "kind": "None", "notes": "This lock was created by the ALZ Bicep Logging Module." diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json index 4a0561ebd..3a8551eea 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -28,7 +28,7 @@ "VMInsights" ] }, - "parDataCollectionRuleName": { + "parDataCollectionRuleVMInsightsName": { "value": "ama-vmi-default-perfAndda-dcr" }, "parUserAssignedManagedIdentityName": { @@ -90,7 +90,7 @@ "notes": "This lock was created by the ALZ Bicep Logging Module." } }, - "parDataCollectionRuleLock": { + "parDataCollectionRuleVMInsightsLock": { "value": { "kind": "None", "notes": "This lock was created by the ALZ Bicep Logging Module." From 4f9e5796d8d29b9bb6e1cc7d609d5fc5ff7506e2 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 28 May 2024 15:37:54 -0500 Subject: [PATCH 04/50] Add change tracking DCR --- .../logging/generateddocs/logging.bicep.md | 6 +- .../bicep/modules/logging/logging.bicep | 290 +++++++++++++++++- .../parameters/logging.parameters.all.json | 9 + .../parameters/mc-logging.parameters.all.json | 9 + 4 files changed, 310 insertions(+), 4 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 87798ef1f..878ddc73d 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -15,8 +15,10 @@ parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log re parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. -parDataCollectionRuleVMInsightsName | No | Name of the Data Collection Rule for Azure Monitoring Agent integration. -parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleVMInsightsName | No | VM Insights Data Collection Rule name for AMA integration. +parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleChangeTrackingName | No | Change Tracking Data Collection Rule name for AMA integration. +parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration for Change Tracking Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parUserAssignedManagedIdentityName | No | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. parUserAssignedManagedIdentityLock | No | Resource Lock Configuration for User Assigned Managed Identity. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 3b8a69870..1fed8887b 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -29,10 +29,10 @@ param parLogAnalyticsWorkspaceName string = 'alz-log-analytics' @sys.description('Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings.') param parLogAnalyticsWorkspaceLocation string = resourceGroup().location -@sys.description('Data Collection Rule name for AMA integration.') +@sys.description('VM Insights Data Collection Rule name for AMA integration.') param parDataCollectionRuleVMInsightsName string = 'ama-vmi-default-perfAndda-dcr' -@sys.description('''Resource Lock Configuration for Log Analytics Workspace. +@sys.description('''Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. @@ -43,6 +43,21 @@ param parDataCollectionRuleVMInsightsLock lockType = { notes: 'This lock was created by the ALZ Bicep Logging Module.' } +@sys.description('Change Tracking Data Collection Rule name for AMA integration.') +param parDataCollectionRuleChangeTrackingName string = 'ama-ct-default-dcr' + +@sys.description('''Resource Lock Configuration for Change Tracking Data Collection Rule. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + +''') +param parDataCollectionRuleChangeTrackingLock lockType = { + kind: 'None' + notes: 'This lock was created by the ALZ Bicep Logging Module.' +} + + @allowed([ 'CapacityReservation' 'Free' @@ -314,6 +329,277 @@ resource resDataCollectionRuleVMInsightsLock 'Microsoft.Authorization/locks@2020 } } +resource resDataCollectionRuleChangeTracking 'Microsoft.Insights/dataCollectionRules@2023-03-11' = { + name: parDataCollectionRuleChangeTrackingName + location: parLogAnalyticsWorkspaceLocation + properties: { + description: 'Data collection rule for CT.' + dataSources: { + extensions: [ + { + streams: [ + 'Microsoft-ConfigurationChange' + 'Microsoft-ConfigurationChangeV2' + 'Microsoft-ConfigurationData' + ] + extensionName: 'ChangeTracking-Windows' + extensionSettings: { + enableFiles: true + enableSoftware: true + enableRegistry: true + enableServices: true + enableInventory: true + registrySettings: { + registryCollectionFrequency: 3000 + registryInfo: [ + { + name: 'Registry_1' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup' + valueName: '' + } + { + name: 'Registry_2' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown' + valueName: '' + } + { + name: 'Registry_3' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run' + valueName: '' + } + { + name: 'Registry_4' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components' + valueName: '' + } + { + name: 'Registry_5' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers' + valueName: '' + } + { + name: 'Registry_6' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers' + valueName: '' + } + { + name: 'Registry_7' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers' + valueName: '' + } + { + name: 'Registry_8' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers' + valueName: '' + } + { + name: 'Registry_9' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers' + valueName: '' + } + { + name: 'Registry_10' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects' + valueName: '' + } + { + name: 'Registry_11' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects' + valueName: '' + } + { + name: 'Registry_12' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions' + valueName: '' + } + { + name: 'Registry_13' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions' + valueName: '' + } + { + name: 'Registry_14' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32' + valueName: '' + } + { + name: 'Registry_15' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32' + valueName: '' + } + { + name: 'Registry_16' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls' + valueName: '' + } + { + name: 'Registry_17' + groupTag: 'Recommended' + enabled: false + recurse: true + description: '' + keyName: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify' + valueName: '' + } + ] + } + fileSettings: { + fileCollectionFrequency: 2700 + } + softwareSettings: { + softwareCollectionFrequency: 1800 + } + inventorySettings: { + inventoryCollectionFrequency: 36000 + } + serviceSettings: { + serviceCollectionFrequency: 1800 + } + } + name: 'CTDataSource-Windows' + } + { + streams: [ + 'Microsoft-ConfigurationChange' + 'Microsoft-ConfigurationChangeV2' + 'Microsoft-ConfigurationData' + ] + extensionName: 'ChangeTracking-Linux' + extensionSettings: { + enableFiles: true + enableSoftware: true + enableRegistry: false + enableServices: true + enableInventory: true + fileSettings: { + fileCollectionFrequency: 900 + fileInfo: [ + { + name: 'ChangeTrackingLinuxPath_default' + enabled: true + destinationPath: '/etc/.*.conf' + useSudo: true + recurse: true + maxContentsReturnable: 5000000 + pathType: 'File' + type: 'File' + links: 'Follow' + maxOutputSize: 500000 + groupTag: 'Recommended' + } + ] + } + softwareSettings: { + softwareCollectionFrequency: 300 + } + inventorySettings: { + inventoryCollectionFrequency: 36000 + } + serviceSettings: { + serviceCollectionFrequency: 300 + } + } + name: 'CTDataSource-Linux' + } + ] + } + destinations: { + logAnalytics: [ + { + workspaceResourceId: resLogAnalyticsWorkspace.id + name: 'Microsoft-CT-Dest' + } + ] + } + dataFlows: [ + { + streams: [ + 'Microsoft-ConfigurationChange' + 'Microsoft-ConfigurationChangeV2' + 'Microsoft-ConfigurationData' + ] + destinations: [ + 'Microsoft-CT-Dest' + ] + } + ] + } +} + +// Create a resource lock for the Data Collection Rule if parGlobalResourceLock.kind != 'None' or if parDataCollectionRuleChangeTrackingLock.kind != 'None' +resource resDataCollectionRuleChangeTrackingLock 'Microsoft.Authorization/locks@2020-05-01' = if (parDataCollectionRuleChangeTrackingLock.kind != 'None' || parGlobalResourceLock.kind != 'None') { + scope: resDataCollectionRuleChangeTracking + name: parDataCollectionRuleChangeTrackingLock.?name ?? '${resDataCollectionRuleChangeTracking.name}-lock' + properties: { + level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parDataCollectionRuleChangeTrackingLock.kind + notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parDataCollectionRuleChangeTrackingLock.?notes + } +} + resource resLogAnalyticsWorkspaceSolutions 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = [for solution in parLogAnalyticsWorkspaceSolutions: { name: '${solution}(${resLogAnalyticsWorkspace.name})' location: parLogAnalyticsWorkspaceLocation diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json index b96d16dbe..6f5f5678e 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -34,6 +34,9 @@ "parDataCollectionRuleVMInsightsName": { "value": "ama-vmi-default-perfAndda-dcr" }, + "parDataCollectionRuleChangeTrackingName": { + "value": "ama-ct-default-dcr" + }, "parUserAssignedManagedIdentityName": { "value": "alz-umi-identity" }, @@ -101,6 +104,12 @@ "kind": "None", "notes": "This lock was created by the ALZ Bicep Logging Module." } + }, + "parDataCollectionRuleChangeTrackingLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } } } } diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json index 3a8551eea..7b3f7d1b7 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -31,6 +31,9 @@ "parDataCollectionRuleVMInsightsName": { "value": "ama-vmi-default-perfAndda-dcr" }, + "parDataCollectionRuleChangeTrackingName": { + "value": "ama-ct-default-dcr" + }, "parUserAssignedManagedIdentityName": { "value": "alz-umi-identity" }, @@ -95,6 +98,12 @@ "kind": "None", "notes": "This lock was created by the ALZ Bicep Logging Module." } + }, + "parDataCollectionRuleChangeTrackingLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } } } } From 9e573a45f03a733b26d01798cd58c5887ea65980 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 28 May 2024 21:49:38 -0500 Subject: [PATCH 05/50] Add MDFC for SQL data collection rule --- .../logging/generateddocs/logging.bicep.md | 6 +- .../bicep/modules/logging/logging.bicep | 71 ++++++++++++++++++ .../modules/logging/media/bicepVisualizer.png | Bin 30790 -> 208206 bytes .../parameters/logging.parameters.all.json | 9 +++ .../parameters/mc-logging.parameters.all.json | 9 +++ 5 files changed, 93 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 878ddc73d..74337d28d 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -15,10 +15,12 @@ parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log re parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. -parDataCollectionRuleVMInsightsName | No | VM Insights Data Collection Rule name for AMA integration. +parDataCollectionRuleVMInsightsName | No | VM Insights Data Collection Rule name for AMA integration. parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. -parDataCollectionRuleChangeTrackingName | No | Change Tracking Data Collection Rule name for AMA integration. +parDataCollectionRuleChangeTrackingName | No | Change Tracking Data Collection Rule name for AMA integration. parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration for Change Tracking Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleMDFCSQLName | No | MDFC for SQL Data Collection Rule name for AMA integration. +parDataCollectionRuleMDFCSQLLock | No | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parUserAssignedManagedIdentityName | No | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. parUserAssignedManagedIdentityLock | No | Resource Lock Configuration for User Assigned Managed Identity. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 1fed8887b..c34fd4492 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -57,6 +57,19 @@ param parDataCollectionRuleChangeTrackingLock lockType = { notes: 'This lock was created by the ALZ Bicep Logging Module.' } +@sys.description('MDFC for SQL Data Collection Rule name for AMA integration.') +param parDataCollectionRuleMDFCSQLName string = 'ama-mdfcsql-default-dcr' + +@sys.description('''Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + +''') +param parDataCollectionRuleMDFCSQLLock lockType = { + kind: 'None' + notes: 'This lock was created by the ALZ Bicep Logging Module.' +} @allowed([ 'CapacityReservation' @@ -600,6 +613,64 @@ resource resDataCollectionRuleChangeTrackingLock 'Microsoft.Authorization/locks@ } } +resource resDataCollectionRuleMDFCSQL'Microsoft.Insights/dataCollectionRules@2023-03-11' = { + name: parDataCollectionRuleMDFCSQLName + location: parLogAnalyticsWorkspaceLocation + properties: { + description: 'Data collection rule for Defender for SQL.' + dataSources: { + extensions: [ + { + extensionName: 'MicrosoftDefenderForSQL' + name: 'MicrosoftDefenderForSQL' + streams: [ + 'Microsoft-DefenderForSqlAlerts' + 'Microsoft-DefenderForSqlLogins' + 'Microsoft-DefenderForSqlTelemetry' + 'Microsoft-DefenderForSqlScanEvents' + 'Microsoft-DefenderForSqlScanResults' + ] + extensionSettings: { + enableCollectionOfSqlQueriesForSecurityResearch: true + } + } + ] + } + destinations: { + logAnalytics: [ + { + workspaceResourceId: resLogAnalyticsWorkspace.id + name: 'Microsoft-DefenderForSQL-Dest' + } + ] + } + dataFlows: [ + { + streams: [ + 'Microsoft-DefenderForSqlAlerts' + 'Microsoft-DefenderForSqlLogins' + 'Microsoft-DefenderForSqlTelemetry' + 'Microsoft-DefenderForSqlScanEvents' + 'Microsoft-DefenderForSqlScanResults' + ] + destinations: [ + 'Microsoft-DefenderForSQL-Dest' + ] + } + ] + } +} + +// Create a resource lock for the Data Collection Rule if parGlobalResourceLock.kind != 'None' or if parDataCollectionRuleMDFCSQLLock.kind != 'None' +resource resDataCollectionRuleMDFCSQLLock 'Microsoft.Authorization/locks@2020-05-01' = if (parDataCollectionRuleMDFCSQLLock.kind != 'None' || parGlobalResourceLock.kind != 'None') { + scope: resDataCollectionRuleMDFCSQL + name: parDataCollectionRuleMDFCSQLLock.?name ?? '${resDataCollectionRuleMDFCSQL.name}-lock' + properties: { + level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parDataCollectionRuleMDFCSQLLock.kind + notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parDataCollectionRuleMDFCSQLLock.?notes + } +} + resource resLogAnalyticsWorkspaceSolutions 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = [for solution in parLogAnalyticsWorkspaceSolutions: { name: '${solution}(${resLogAnalyticsWorkspace.name})' location: parLogAnalyticsWorkspaceLocation diff --git a/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png b/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png index 8de53129959c8acea78b26d6e39ac39d3d684cc4..a09b69682bd04ff010e7f7d837162e491e9e2546 100644 GIT binary patch literal 208206 zcmeFZbyU@Fw=YVEG)U(nMHe6--3`)6gCHQ?-M#1rrID2GmR3*@q#L9`LXeP>ywCF8 z`*-f%=l$o5d&fBAj&mJDU2A=7KC|a%&gUDYrXq*)fZ_oH0s@YLytD=a0+uTR0?Jbi zB=Cz*s52w@57AXaP7AmQsj>WY_b` z<%asqx4n4jLE}`}gOTkI3Gb>6cD0*+m0eW%mS5dp2g2|rF(Ci_pDENFrvLsM{JbKE z9q9jbGW>wMlqKfBJ5WX`sQ5qM9$!*^X-x0mJQrVbFMNdX-yP84b4&eqlqR<2H~c$F zVN*E&-(Nypd^VGW#Z)7K8kVf{pC-9_6$) zce(aTX>+D})0J$~bZq%FUwPI4>6fTUSt?Ba|2+F&QknmsXaDPFrdCL5iK!OHHBk2O ze}jYgA8w~EX|a;w--m*6;{O9Z`2W5jBuhGyY<#m$+I@Fcv*NW8$G775+Y{Ddy1H`L z(tXR;*259_M{$}dlKms;Y1YaOnlZ`S=#G%p6`Hi&S>r(JG`nf00Yw}$?vuxbpDk)S z&olQ3H{YX0M_^GACv?=yr(aYU-#&N8JgM*POYInpT!(x!Grf-Pfqz+Dc^7r?1eM6( zB$~m5hRA?)HNf)g%H4U(z`(%i>FNIdzQ@5r6U*i_10NqB0|Ns)`^eBx%%>75{E+KE zf0!5CU!ZPBq?`S5UP_%QJPdTeZLb91w@5^A_V6^H=tb~);})aE{v%7%=D zwCuHk^RJs37#pu#UV1S%Z@xvH$01ytnwpA?jBHu*?oP2b@%)DJ~us`jErocZ>FquQtu=}>;`e| zWdttu$;ru)e@RhMquo4LaH0ug8El+Le`ctmBg`_l zuy}49nUHY*JNLd)5Ys#Aa@a9|2p>N&D=S9PKt%;IXZ!i_Sr<)+t@q?N?;Rm@5fg6d3ps1 zIjSnfDXU=<=pGjR?IGYf0YOrFx~{J7T(NT2 z%KhC%c|~GcNca8iA+?Z)^bs{FDJcobkHf=+AtIpF4?+TcZ+-)HgJ35bOrWBoI(FYS z?>*jpzdFpf@@-&XXX3r0h6W+Ky@Z5B>o-m~8!kuXGDBaZv#J7BX!AIrASQm__P|@O z=OV_D1W~wa>&I{wpY05`j^G)s_&^2B+;p+td; zx~)89Z=Sm6c3_EVxw#2Fs_w)m8b@C!9gE(-S1?^HkilYX78Ml*YE==%*!=P1#~rL4 zQu#nrGczq62<~T*kz}#kUDe2=2M-<`p>o$U^d%=ICVu~JSW43tzW20``sO69yH5tg zSXx#VtzPZy3|~@7o#GSMF126J&-ZI^{v$QSQwxPhL~!$hi-Dy8o0K@cy9m73aVIl% z0@e}t=FLOD5==}?Dg&lILSQ4nb_)s$NZ9m`5NpyxXN`Q>o<7B2v9_?V5El=+D#nBq z_wfRaR7_*9GHAJ5It(be!sg_^|C4(kRmsc2!9hh!b{PEZKE>VK9tIxHH(2`k2(nA=#Xw-`$ET;*SXfd{Gl2ibw|hF}i}<}K?JKv{ zFWWu5y}f}%_k@^Xy7>6`bR78b6?;zGN1FWk%n?99OdR&KMka=&<62hUKJku`iRo-_ zIwnD|gX-q2Ch%an(^pnD9O&LvJSN0~&JCCYxTms$!dhvsVo#Q17i%~AM+tPvJ(MW> zc8>!foJ+#>v{2wp*4IsoT9oWC%i>yEJb?pJR8&k_D;Jfbf>CBOwFaI2oaGP}HuUd= zCFLA|XK)NUTI9=dS~F zjpX#cJ(~qyb`h}0VmPzRF%8@%Jw5&I_WJjM8wVoLJ#%w&u+qH>CfF1`9i6z5GgxEc zU*{*{d#?2S`MTo@z6R~`^78KPZdh2Dk{xwSMGjN<?k!fk9Dx&CmnAT*cZ*FdGVq>ulziVwn&^FV$Z_L%z)q$0fWf4p~J;4_< zPIa(y`uJQ$g&hh#JwMl8c>*b72iN#q{Gui!D;31!WCrGY-hS9MB%v)yffi+NWMq`Z zYo9(xkqOikhttTyf|qd5NYG8c)xV*Gf-ai+Xi1roy85z;e0jdLJ%EiUdN0P~7JJaH5 z9N$2ZnaXD1@$0*ue<3(?cPwAZ$ER&ixG(5t^!{cvPa^bk@)|ZLX=rGupzsw$CEMx1 zNJNR)wA9q%E_F%yTi~ZJb|?F1XLa0ZOvQmaYIoZ$fFB73HqFb;{Q~|ooP2C*!A9@j zKlUhr(x@saDOp?Z0{bYt!mFdy5mJQPv)fKymnyhWT29XMaQUS>&AQ~^;2{5|cqE&b zw|9OwEFuC(13U6YDgR0q6M~bRo&CMZRtL_}T;0Yk9J0XMF2F(4cTjg8NMqQRwbb@sD=<(|Gz7AWcQulB=oz)X30d5m6R zNjuBAS`)WavdoX6=oN>__$Tx}r#neN#&9j}^f|McE`R%%oQV!^SLWvMVi1uFW#crA zSs)iD*bc_@Ox?gQeI7edPC=0EPdxgM52ixkVblN$ zsssPT;sRvm*#kjEDlG6}hg4AUJ8A^g|2Q-Uj>|>>7>EL(P=7zzfp3LygsEA|GHM(E zK8dmtmQiMKGOB$w5&54(_>1`seLDbMk}u5r*N1;kmopR)SYW&Zbta{9q5FsA ze<-zn_}@wXFLcF+0Rm6K0)B-^;llno^be(RA^(l!|4LUKATTljQ2NqoAo!m{|4>?_ z{@+>oU+Cf|0jwP7a7%5)!WF>(=g@y)?q4qdd%F510V}V-0z5xL&?WyN`M)q1&gFkk z*ShZiGocSX*@GS*ooM7@jB~7`fTEID0;9-p3QgKGgENJgE*uLzQIY($_Zax5c+9LCJeePlo#b&c38qasQy ztt2%*_RZ%McaXkIA5=@&p#r)V<{LrfcZ0mXNPKG8Dp;r!*qx}Rr5I@hSDV&Zy^uMm zut3%CMsM#83)mMHA1|*`a@Y_@){Ak#rHFp6 z-^|&k^Wt{Syr2I(|7*S_ySkB{*lr9ZVD3m2K>_@3!= zg^ps4G3|GAGi@h%ivBMeliw61*H0VAi)n~npA?!H)9#)x*XNO_+t5JTU_hHUWGxlE zOl=ZSE5ZZ)-L$uEog+9>tCrKhe`wE?i)8=Hzj3|wgT=~?bZg|UIiA~_sxnJQ>>EFw z2+kLNNJvxvw`UcNECC{){>qAREvLm>Ikvy>rVa1wtMLBIYpS6qYtZA9Gv!|zh8M*dgJ7o+MwjC^^wPVtx&#gu=l?-Ajbk}yfD!X40eu1$QxtTB(dO9{%0k@5}> zt}w3c!Hp!L?kDL_h3d6Z_2cn#fY%szj%nyyY|+zC5baD2;63~14txD$Zl6`M=^d61 zi|1|>>Qn)22NN!DgKVaEMn;_W3-0fD15djq0i{{J9hTheOWvMKv-8MuXfm=DGMMA! za8+#KR}3jMbB&0lzWiLBL45HoS|?>Le!;c=)yenLnRy!lNjEe&pV{DQx-#X^8J*@Q zyft+(U@3E)xTYfNUgh;wu1to>&naYw=s%uLV`Ma53St0U$X%n^hKPkRnm!UF=C0+zhr&}WIE;!XzO*R)=;{x ze%~KTsNBRg2T~vRRXt1ZuKy8%CGw{?OxhT(V21n9vOj;aYL7bVCL`>HxNbk$Kl#A@ z){>~JYVTrqrZ1#g^v0R0KnxxZ*gZgok6z?{xD zJ6|z2i*xSBpZ`+Yn(s49TX}iy?qZ@UxEF~FG_bsgCwg!ey8c0ZfniY*DA zo#Js&RlW`RT%6N6e&0~T{ru`WEW8YdU|ky?F4@Uljw0n%MsuIqZdPxkI$}Dse(Sn% z+W+`_Y1x1zWqM|)U(P-XzXe3*ap$-OMmk~o2DjDrpPqEz>v?$FuiW-Be)@|oWY2WA zII2Z1;6ofhC@S2bu#EEL?!NT!273I?sd3_j?ITVadD<`RMUPhC0*5yYPI#%tG2ynB z#;+*+iRgt;e3q!`cHI}o=7cZ)u65TpZ|ml%JN*2nQ!$*Mz|WiIS45KR1>|2CUpH+X zw(%O;5H2?GT?N)Nby{W^%eyu~B)|Xl&^&*wa_&1W#@rX$vh)|XNDMjJ7O5-bUAK$4 zg(cz4jGT2$g25w%{U;z46f`WPR^7Sme{?3W+tufd$#DtHw0 z(*6qPeMI^WB3v^Xa+r)nyAEVkC_0=E-%N_>mSwP^3JTo(ER=Cg8zKfYvd7_#ls0F7o=XdiUrN&e4}&cM$is&^9dz+UYUpUIna% ziwGdgan&*T1i=|{0;C}s(UpJB1zT5$~yBe?}f}OcpG=czHu;W{&Tx`4Sl`64E0*t zAB*ODyF~>r_OJquexibBn=ImPt7cOt?G@1ef)uI1$y9MqMUj^NflV=eQ8>&!bf_Pr z%P<6Ue9}I8{q%#PDu;1bVSFp_`1cFn2@z1q zCo;_L*occGoNpZ*R293UJsVaSoN2Z!@bJm{v@0m6toG#en5x!glF0Twd2#Yj4e;O15rJG|KMHfPw#A0 zuh0n6ta5@Hs2@Ju+}e6?@e|oFf9&awf+7(oCuh?J6EyVPc8JcTlDqhmM`BP#RBouA zxHA94zLx-@P}Ao*c>Py@oKn4feC3Lo_c-r+$FEgJ%iVNMh1RTOae^<(@A9_TV{&4VMlgvCq&65WqY{k8O#^1@d5l$r zwRvVoN-l=YwLf>N`>MKUH1SuO*GG)F^j_f;OY#vM={ZK(Z;#}Rhf%w48~@r6Frz{& zd&V^gAQ7GeQFta8?wRWK=d$tfFN3y|7|a!IJ?m7d!Jz$=TrsWO0= zXb_26hGFuox%m0}^V!Wg{rdg^l)9G`WTm4EO|~)7(Nm2Z14BbkI5;BeORYtKUuk!` zOq3GWjTw2dLVL5dJfB9Z9~FCRu5wlgbe?qhmJT}pq1$rp5ebJ;2f(gLW2-<){4Jex zqhVC^=Tuor`2;yYPt}@lZv1!-_$@}?`LBHntF3*?bD#tl1}>cPt7dje&1RpCq79wO z(?N*&O;YsolbQD(Pt>m``8N6!KTj(bczk9j}A>6)2Nmc*f7tw>CnEmyo{iAwpV1-gI5m$uUw{p(GagbIE=2_m|P9 zeL{N^latCCB|+={H^=>0r0o04o$V?Pz4_#0_|NRF&kx#_>_9<1Q>kauj0xrTIkjpu zHn0Hb+)x_F=-{A+V)~z*!UO;(7c&QpM9>E48k;(>w0js< zEP+>4zW!Jfj-}~#d0q$)h3_h3o__VHZ)ku(fBzVMFc^!xb=XWRX??b9!p%%60+$Y&hcYk{C&at3_?xWphA4;urBm4>oV%K5=! zOzFaXYe+%@UIEt*@tue!G3Pi4;i15I72GU5KyD~vzd~aJp*HGjv--t%+5X&rECvy&K3WQm(tR(%w{}85$AOOt5fyKcm@uR znt}q;zDNR_1%G&Dg}o0F^Yf^$4lCwA*6YwmhRXt8Gil*M=Pu`@NZUq?LYBOJc27Tg znq2%^nyoR`ArjjjeES3dkXl6S{fmpf=lk;jnVU%N1$Z^^Z65n`>deOSv(+zYMg90q zKA`|5IuiS{Ki|OmqWC{GbTu*5SpIkH^5OaIPKEV$K(_BN=V<{G*;RFBrJKR#DUCbF}*Loro_! zYB0c5{jLvM#(Fw^FX$`kUS`rWFdQqtFDfdvMo)VCw#ohHOxcT)a%;JM0TSBAc-U+Ew2=uiOSRes-o+Devmc@TT5n>p4c(!NsZF_7F$+ z&2CAqA-9h`9OUT-nH2|ZZtM4W8COv<&z+DLM2iAxv~dDX)kCpi<9hZYXE}2K%Or`i zcW|iA^q@$jC@S>?&dukn{8j@&?@RHorS_6V%1|6NHMP|vIa(gL?}>L$eU_kV$LF`6 zIETRqyZZQEK1WI_tj{ zvI|Y(8z)xD60=)OA}0;3*LcM87DT$b_D{Q5H<=N8ydOlIRuKrF@*KNX8+YSYsT2L8 z6BHB#?LO1TDVKcwfp;ATne-ITyiZ;OYXE3Vle7HluiY)`tjYXCxvYMF*NklRJp5)ey}B}wuA2~$u(WrNiV^tLEkV%AYd z@GIg|pvp>nl;f9OPiuP}6;P1(4L+>x7sSg2nqnacd^AW@M6hRSDge6k49KLyA1g71hKonKHM!eQFaaAGO8p^ z$L(i!{WN7ijqqVX-}&`6QFr^zueJkF3Hhklg@HCmg-(sbV)Fs$hJf&6AL0~8BSLXY zky%!J)(?7n1d;k(9;bx~q9Ln78wXk7zRVl=mY8i$;$AWA+@!eoS39wao|Q#k70kbU z&JA}E`EEVvI~)>1O?ktg$kBC)^g$Q2UZxu-XtXY!;ly^iJwcg)O6uoqlHr7hY8^td`~;IBI4DtdV#u{a9MVz2DL)#U4@8 z)=vG=8T1`AW1uDI$Gf&lhQqj>(X&UGSnWP*94_6iOw z)MIlX2_!wZ6wlN$00DxDlfsKXkdjyVZUkqcBjTK<1KploDvQ4FX|2t(cK< zdE^(vP9Nf=$IUh6-{>A@3%LFOd7e(SVOd$K$Os{o;`8SZMzB3>$n_0EVo+a`46RNS z-tO?^FcqoK9YUkz?We6zzULd@e)#sHfVgM^U|Bx_7zvBdp}vb3JQX^1D{8S>c=#fU zUPex?;xV_p9TWQ}ByHF6wEkFfWS*UwszuKg|A;Ym&{G|5fCoA$;W}p?do;=jVbks& z)NWj4=g@^$#!cwP6%`fv)~O#p0I9;9CcM~E8$NNRO#i|I0DWfc?FeD_50ej}{co!N zxLk!TYDaH|a20u-Q$~D3&oA3PxOP7j-gREE;?N1&OYYJGb@Nlt@+mYS+77r z+rN{BlcpJ)0%KD)fhLX`hg$Gqw9omz-T|);QBbA-?_oZ%o1@;#i~Y31+JOaA`B_u>yNz-t|t zEZwck~e? zhv%8PZEmdVWO}F{SAr0c=^lXW@gwx+bJ4f@alMdt31cQ8SFcCS!_fo{L-+l;V^EW% zygdB=!4(t|`q&Xg1XTwU?}vO3J0oUhNQ%+Ku`fWXNuNyd|qifApA*ZTe~nOkIgsjnT2yiofO#yt@HSVJXWoCJ+wGm#}Pm z^g=`pbagSRdeG|VO?ft}=W4W!-|;!pG((4=2F*&ahn$J}pHMVWy&3u*kkW>Bll#4S3&0h z0`m7W_~Fj_^3Ug@!*YPun=(nWKf%E2r|#11uu^u@uD(Ua}_fdPz2Cj0|B1F2=E zB^(h&Bu2MwFmPdgOE7C&^hp0TYOrKYnx4C$B0_VNlf027Jr5`^F?woIgCcS5t!AsK z&tn*ga+4w@*@5cDj$&xm%9T#mn)LEIe1CM1w2GclWH&5ZE6iKkB(ctk@)BbapUWf* z{~1-;78zzA&N10Th4_cjaWP0Ul75e{#JR_(u5M^SRf$JqN8Yejx&Gaz;6Wn7XeN(h z%si+~g7a|Cv_}ZD0|zMBRl#(F#s(5R_+FwnvwX9Cm%d;=v;G%hXtjhd*R@6@$LGgY z`_JZ<$GeAHmWK%&jLggh_v_iQR00}p9j6zywYAoh#rYTccm*zC1`bTOO{38yJ}riDu_(pmYi*^hRlVQA{fJemZ2my0{J2x=?$5)vL zg0&XI6kuW|Sr@InLWE=jVNR55eQ@wOTSGI-W7r$2aRv%C%P|a|FKs}+)7X>BuBor& z_(>jppu$q2Tj$&Pu$9PG?-C{E?6Ua~vYes^By0CT?G5y2ZT%ml1-v!^x%MZho9wqRmqBQd`?$iB$B*f3b+IKa-=><9?i8geQ0aos zb25|S5#klvTTr)A^%1rASPlo1($b1qj!^A9ZBBT((R;c(NoiXy#U9(Kn$54SoR#RM zO8GQAoFRMY>sJXSRG#q4H8O&O$e#7Rps>TGb{5rNrndE_z@nc8fHYA%u7#pzcz9Tb zPRI3&GAV_f;V%(=0Y!X>S&3EAH}}VIIMx@WuFImw2SR5?bq?#EY1@X*D|u398^>~k zilUc{%hN9z<3I_XT##W6#(^x9VOKNOe|CT!t5SYw~I%t4*@GkuN-%DXuPQF&$+1OE5Lt~496+<3OoYVu0R`B;9A*_5PM&)|4sZeJQ zroO&q@u^NBEcO@6#*#ryHjmbN36{Ti`jTd%VScWL@RvqlFg$!X|4{`Z6e&(|T{;Kq zuG;y60{TA3xi@`|pcv`*7?a;T88fgN0EmJTVZA78*_V%I-Wvq%0VebuC}?Ps?D+W^ zjkV$6Fc?|_pc?2ZBJmgKvweUf zjTw^a(nv6B3;SI@T?kK9-?K-QgT2C_bqWHoQ^fgN&(?MY#6-SiyrWPqA(|dbO|UZL z5-*q1DU~io4k^JEX*k(}p;@W}gP7`OQHH3vJrEU-K>G_`PTCy2aAGVqUjs%nASK49WKWB*u}VQ zqJMsSj;R0D>c>!wbOceu4li{F7|7WD?*42?z6A4OsNTVDdHvRWs}xSDZ{ECt;~)5? zoMvBM$wV4>dkdKIpy<{kTwR0k;P!Kdt%@TMpf6T5rzSU-$Mvy6Pq#o>iGgBH%$NcK zfsK)wI4z8kMl68p7(ElEsufICQj~S_QzJ5+2kg()DQEGTkl*|kA9Y;ms$vDTponvU z8f$Wl&%ull@(3Y{{XkuQ55K!h5&s_ya)NtnysF}&BDz;qm6h3?W@yc^jwmTr%H7vy zyU>q3s1kdik{k;XRBg|J1HAjrsh7-*Er0w*AL`uRDEFH0eHJ>7ne8T8c-YX*q=x6F zq>wRYGM)v1R04InJBeDvG6_!ukdDAGj$qtQPl6%E z*S5S!pL;Bt5Ebnnq>Q;zbt!m-OKQdh=@W*F}BCZA)**!jg_^*lp1Pm($Jj+m(Us@uE=7Gk?g1g2C7fc zN1@pL^qG=}vYTkmLF!dqQ!XDbtv3 z0`-hAL3tel2S}s1X-os`&F_IEh8>?oI_aRDi()o;YOCJY9nl$D!@`~p_f zIYORv?{fW4FsrdNR)XN8eb4n{9_dpgn0@5sEK7aL3OOZW(H?s3ys*WJ0nB}b@*&|* z;K+4`LUR7ja?pTQs;1%3CLxyg4eIQsq0?wz1zNvjmGsVw_ba}KBBw7<#4v;t=L+r% zX!8s6yBU5-Dupda)Z);G>(xIPfmlFRB}PAg2gr`K)GQ9aV&b3)@Tk>Ly?PW|iO1tf z<{IlnkJxx4d(fP*q|t`xc4bRLaS9TKWKl47LEcIbX)3dig$R+>9kykhL(;^u_6^xx z@)~%P?=B-FW78Z38XH9gV^50a5`_$roYIevkJC}9zm$b4Nwkl7Q9VS`Y@}+)a{(FY zCw)+>Ky03pDoWNhNm$t-UQ51Ldcf~QJSMv~5G~KQy^Qc?^YM_xgN8-T0x>U@{cfj`b+c)XltC7AA@85|9 zU=o_4PUcZq2cb=nLzn{wu_Q@USlxrG6M+1TdnegTAdcbG71&jYT4MHO$a%!-qIz>O zLm1@W!y&2zGc1gw$B!RxlFal3Bi9*2y>GAF<;ex>v9%>_@RR8AKdX#0KEtzbe#XA| z34}F9O5(K~Q1Wf!a%JV@9PI95hRI1s=aFU-4^m4Fes7b*_p$=E1J z8rM1w<{RXGZLF<_q=dg&ga+ZV65s{Bnes$dbWNqJUTAZF z;)ZS@CHvSQDAtsOnE(U8OqBCHjD!t|FC-G^B3;n&)gOA`IQJo0WmTFpxKQHK(%DDy zC$X8m;3uKt(j_ll|x{fg4}qS_KD|WbLRVC_P|I&MvhGU8orC*}9dFMv~{|bfxQBQ9!eQRc!CLq>1x@uYp6zZVh{?90*Kye|YS)^-o&i<9cSgRLmbtL1ACyS;u|#RGQ}~aa3`nV|R@>ZvCZ0?7FsX!-dF)MLUU$0fCSy>* zsL3xfxGljTFN748s);wTP(abCnIMi<#OEPxW1$m&D?7-0tk4$MpqN?LCdB|70FzlB z>+i3Z;%~=XE|_Y(e=gTu8{dL4?cfmqtKAYX&y3NM=ZjDOx@pH5Y(NO2l5lcybxj)l zs``{JL((&x%0vNP&^=P1z!)ps9?ix3lbrwDO>47CP4m=L4?$e9uKy~Vi9R2oDj{BA zB*1J#4efLXgcZnP?-v3jlWv6kSrE69ZuM|tcw^&62pEUJ?!=ow(;faYOq>eux~v)S|t0ma&O z5JDyKKmf|Km{b8f$_vdB8v0m1Xr1gXa_v0rt%|ar|C&{Wr}@WG;M$|Ivl|~WLRd;J zi7Jh|qn${4s(h+eq)GS!az5AL&D~aljZfe8=`qHHlK(7vbkS0`O^+Uz|CO7xc_MBS zv=pTagVBFX3TC8>K*0Zo1QA=Gz78k#;ckOlYMwXf9)vFp?1(!#J*7x!qI*~`UKr$O z@)BkBL*Ck`oP8)yE|e$4YV-&EQ6FNOX*TV?yHMx&xUB5jK4R z8nqLexIST2oVga)H00Ox{t@}u+35GjrSIhlcE^F; zVl$2{ghnc>jyh8K87}XiB&v_0~=Eiom()* zo)~LJTp8*5q`qcJv9FsxoMo%q7CUHj~Zp)c=`PpbCkI$?*cn}4R~Te=0eA6a5f=(`D&1+T-= zYj5Zk%~jS|yQkw$$ms!SFqsg$=}alw6`8~|pj3!^j!j>m{j_XC-2pg*CxKc4PVo|& z_$q)$BVI}w)&|A$`JH@a(YLjib4|qnAlBTQ^G{4qomR!=vv_fXd+&j{gD3%!$}f-r zaF-MAxMYQIUs6&MfP|4@24CKS9W9Gs9a91>%p-(`Do#GmKOpuCR*8$jgY6S~Ax{$X zisOQ8>IxU_(i%2H-Pt(ARLi`Q4UStk*E@H0-nH_JW~tw{o-W!(`94N!$q7W~;`zxi z%_Ss$8iXZ=gu!z=BJ}z5=R^WGlko=#ALc+DXT(56Ur&y}qkSjfiWaPB&n*Z1&2Fsx zB2*`MfzCgS|J7k>M6!4>G?!57N7Nmbf2~_8HjOaZu+$?~!iYHFwl}}TQCcNHUop(# zZlcng%`-+$fG*iM_E-1MdiBTA*VL>~c`IrgHc2;MJI~>AHHZIr6|cbv34E*?D!qm*Bk2J07i$qne=nHyPr4 ziYY;EkmL~#(z0lY43~R-|1)u0_ZANysuz{~VraiYRqkDTPF>AoyK5QZEP(+%(=r** z!c}9lqDZD?@>EIA1QTAA6f3V*nqCiRIzQy!W>LxRq51j77W8jYjt}5% z&fS)ulj_I4vY_6?sOA|dHF*@V5a1C_LHUS%b=h;wf^ z&Hy|P_sODv*1&WE!8%x0SL4j~n zXleMzbFg^@4Tl0Yfd2`19#$mZ6*X+s>XhHnVMx@ousY^M11juS90MA4o;SG_k0z$l#019G9tn zws+sR%kTM8=&(w7AA1Xpr%x~B2Y_`CKu50CX7)om_gF)NbQxMxwZy(#Dx+a*4I1?z zZESVx;Z>i<)Sq0g3$3ujr!395E~%AGA|o+ix^Re~b$TZU6Xt=B2&30UNDk8) zJG5bG2AO9q*=zjZY+gxBwRzA!fOda7RZ&LC#-9ewTLTB8EYRv4AuMW46opw5F4Ea$ z@z|1Vnx5{AYsb~0GA4{EDJK$$Na`n9uP44oGmWvrr-&SQVe>5U)MN&*W2^ZcF~%m{ zopwK#2yAc-y4C;~k?rwJL#Pq7QK7YtE20@Ft-5*SHlN0KCiMz5L-j3@hxc7mr4RYT zo^o`qJ6{jVA+yuh`P(o(S7CGQ4itTVVzS0J&DlPfrC@4sT9frsSt^@pXFQV>C+8>8 zWDQZCZ}fLWm@J6mLS9F7B#+qHWlI);FKQfr{N83xkAC!E=m@4|iZw2N>T-ExLSUpx zZ!WcNK`uLJ$yWDv(SP9Xb#)w_Qd{7CS87HG$T=GyaIvQl_Bkwf=rKzGMTZDse4+Dc zW;t>F@$I92Bn_KRRCIKk_itut;T}KoNIFF{bcos(?*` z?N|$?MMY`yNaiJ*0^jpRB$BRKom^>@nD|bBfWAn)BAcSAL+bG7RORsY zg!Z&{HQ11i_O(_R8lr}slIWFT9))eeU>CL{6AEDwxlNLyCgkIRUhhZ&L{lXwINDGfiJ zEK#McECm3&!QpZzB_htr9Ii#z&50t0q?uzCJHQh%^54Ig?HRY;c(4wY_`=?RLdBoS zSa_zZWORoTCLwCKdsI5A7n1Vgnu<65Qn@Zg}B(|IV zhS7k_HT0tORGkMA3}7nxTw)vIlAr${ud4aUzweo9Rj1b;E%*6t0<*Sgtp*Fr+bGgs zo75jDx_>73Tg1$LlNcc!%5_ckH5y}Q@?hq*Uw{p&irqfMq7#vNi!dZl^D# zDTir}^=^0?wv&beC=1q;cVpaUc0&i#|0ScIay`;YYY0K1E8JCW!w0 zvtGzUYEH_LEQ1O4LVm?JM(O|gY904yJMX}_fz9*jhM6tAn8&m@?QWj&iVnTQr9N{T za~HeUN~5(l(c5&EQCqfO#&Pm3fPGzqS;jZZRfd>Vp&bC%CBUMyl?sonZgW^_1G9Fz zqM0kT4V&LGxb=lG?Io;QUVTJ5-GX;#9}_qqtaKY+1pqujQ&JZ{3qGj{;s!=UEr+66 z-2vFIO~((wy-#2hc3mOp^bb^tXY`S)4NW7p%L+Ad5*Jm(xu=S^Ks@=^v^kByOiI2Z z|Mq39Ysl!ykC6q#RwqOj+UJp_WNGDs+=l1{u9i^~SpU3BNToNxGV0C47p99fH^H`q z25%%v94%E& z7AjOD%^Zozw1onoP`N1>P5F|aoFV$H-J1p!f^kqRK;x*9GUM<|J^Yd9z?=w)qksMUw76`s6Dg6=z zd`{Ot$K;FQM}t;~q!YlF%Pbbd$(-2C^idKcXBxTHK-#z=)8`Au^S~PElUf@4L8(ya zjsK*=a?Z&CqRrnzKtO;`gi@Wx{<250$}BZLl#o=7M|4Kg zw&s3Y0Fq2^Yzt%oDIN<|ptC!Hag0h{Ly^hf_i@Rsf-2^@>2yPEbpK0s5i-3qtJKNm zQh|$whH=tg52?B)O#5XV>#l6zt1-Oe8RZanlu3jAc=Y~hu-n5ArEXt#c6N?8`U_Ve zoi{V5LRXnl0QCF{MtH_>2nI{7xlOx+PF`U}egUn=3X60Jgb3oM{4jv!Q1UtaUrc>> zJk|aCKQglpiOh~YGP3t3TatCGa#FS;qloNTwj+CntelKeNjRd&$T}#pWmF^?so!T#-mmxdy5{rwypStU0`xdZ+c5O5e|lj}qRbA(K5a+)x1PHaPAM6=JO}wTDX@!eyN$hYG7D6nDbTrB7g9p0NR7!+m0s?D_ot+60|6 ze;K-)m)2Hz&=JI)SUC84ffv^j-4>isY-W(d%eG&kn7bx9jQIt&Z zZ&Og)Ady7bY@`8zJS0pU^-C=A*27TB+r4Q+L7ZSfIkbhU^70-dW^bf)D_s=RHL5?J z6ID9sU9I_;ZB10OikhrJWtODGq=&a(T5aB)CrzlK=C#4=7Oh+u>JNHauE_vtLE%XK zZTJSbSY5`c4x?Xs3W`|H;7#ueUTa>Dql~wR0;ML!{q2hOH|CZTDNnp0WkZ9Cfsl?Y z{CpKa0Bp^Hb9KKhiNQTzxhJx$a_5vt>~HE%mlC_(m5q=B&^Ci!Ohhz8kk`j&7X)Mn z85dg2Ol7@}K|P%kiVlQKxH5ZDQB&@?q)NzsV~%%O1F6xR%J@#J=Cd24uPx7gRoz(~ zHG03RI42se08^$H&z?OqeTq#7?o;@YlAYH>{{t;2PeJ}RT%(Ru2EdUTn*=LTF`2eycS=s6V6p#3EBZ(X$ z%kbu+@%e`Bpz3Zu5KrJXgHB~C9?S}x2%qANf$E*z$}hEfW@RAdg6cb$B6_7(@O%OC znB|nxol|yib}sO`$MEV_7p*=?;HSkk60JtXjB;sbey72DLv(J5cY!|Ym?q;@MkG-v zF!~o&&np>iCll2A))>DJ%p+Y4ObqIRCd+?2`Rqk*_8WV;jPo@=ZJ>9gn+TX5Hr#}~ zkD=n#=PzI4U(&u6SFs*Wx8UbIFBZE+p{CD-l1!x8&O`r$AkH(z<~ zzMmgxe(@rMOOXo?TeDVhKDk8^babHRj0?p{b91Mv7+WbfX-ma_^~%1>(`{sIjAKSz z<>}X!iF^l0v=Ye_xh8e$1@2(h>-BfYo^QMyM3Dg2H084PCxj8V(;t}nHgY^6c8OP! zu|FslFKf3Ay7zug%e=xjzQK94%F=Zfas(f(yu;5~Ad~Rn?9t`my-@_IIJztSW0jz8 zkAD95oQEju0>AxoC9e3&(OP-oejkj!ZJeutTNK%(*`>>uk)&Za=D?{Wa?6&|y(0{SQ)NSB7mBQ0qo|Id>TwQk` zEnct-$1{oH-s;ucI68U{s4f!ND-B2ThMck5`TXVPKV=%`d_qUlowB~#e#z8+_d0$2 z;*O>4-~EWDj|M)F@RW9);pe_ed2&H8rFO7@UZdiTTNDy`Pjl|M&-}R-0}BWMkH*2D zrBE39$@|Rd==ebi(VbQq9~XycaDbt|bFB?gEBl_b)Egifkw)ROE&^VSL-cwR_3f=u z$fZZiQ`eU4v{ZQ89~ZuX(fC;)`TmET=CVFZaPomDO@?oC4~a>2m(0Zfba}B5qWu* z__G0m?}nXS;)x!iT73DNkNJ1KLQH5mk3GJ0se*Ji3i(I{JO`bgJJOzzHqZKSy*k?} z>|mMwdhyr`43<`gs!-W)1qmLv>6pQpj%({^C~`61?)i`dpoN2=!a3%qFo@zIi}x}e zO|LsiU!edOGGx&ptJ69Kzd!!y7Qw2{#XK_tQvZAXaQZlMhFRp8)_7z_G2;-+6WcOd z*+=DMTT^!l9gUh75IUkt3?tGG~^QrA&i(Op(_=c^dJ{npvTrJaNhVWhR-lW;@z2?tZ49Q;tk(GPvAForU} zSXID{eP10UwNP@Aaf(~;dfC_Nmokh{1kAEpIARLfV*^u3T zcny6PgTT506v@>v8JL$$tkx+94Fj_ZnY$}$=plPN32Da0o8IF-^ou*h(D*%Jew|n> z`Q*X<&v@)FfH+pxKG0ks4>@6SuI8%nI0pGyC(@_KeSaBgoT+(L)=SHRu0`6y^bLvt z!d%LJpmc|_WR=9A6^BWxUn%OVN;NlKnV|EAz75oInFMWT2 z{4lYw@b=kZ(PRr2jCQQ){^1Qe8oUgobA=S>xGhj0{C zUfQS*LzX^QNKetBoP=a_&AyKeMnCl6bIh*Xafxqnb_g0Qof{IOXblVb+T_AJFw?Id zBzCP^cTKQUH1R|p|1KISzj6&jLebcLD0aXVMNh5Wi<2FLPWblCZF4WDuu!@Sucf5e zh~GB6yclCc!DeycLioU-RORbbUOmLS9(&DPzoG`x{b&<6URII}%G-ayeM2ClaRN$~ zxip&}204qn!0T)=EKo0=M7Gz!AxgIjtz-W`-@si0KyI*`fPdW=G=6ZI72m>;hsaVi z3R@vD8$PGegdg&1cIhcLg|cwro#5?7`h6>vJm0<4%q5xHzE@ji>kIE|B1hGOC7xUQ zBta7t!B_ykx7zJQK|w)@u9bEOaOrgZ=F56ujK`KmHBbH8{&LYZdXe*tXu$6G*+S#C zcgbI0!VSi$VshfGxWhVkuDTNU^3q0zX$&F*G03YCjN%T@nF_CdVu^62--=Kf-g-rl zoqL-u_}H;kBya}!6xa;=o-YJ97M*Za=gHdSuMvdzoW2he<|)yjXODu^0ARLG7Z&^O z-ueDnvo|-4ZBDdZG_M-c(meIMTpzp+!sVgiUD)m$wP$BE854b0#NPFz_=WG|!tE7q_m0XqAbEF8-P~g7lp=^ZcDegs1 zXoo68CXKRY9_Bf{Jq9=-q}os(Kg=!9Rf~4V4mM$r`|4)v7{}?*$pW*v4?xPjcGGQP zpGzNA0+wBhz>ORfaq0(vQs3`=?S zg4p`Bp=_nUdN(ViPi|RU0b+L*D(7ZBDO$B}neQEX&p4c)zPQP3K9 zhnUG-(rvSraPMp(ZjH&dyKUvZ2zk%cs|4d$tCf9Gc#4{Oq_NL%rnEaux9EQmS+p0gW0KME zZRpEH(tR)(q7_@CpgBb(rd1R74#05QhlJVR00z{qN^`Zv`MmRF+!(E}Ox2+6weSEk zSZt81M01o4p>fn+wn!=7e6OBjujaQ^(|zP2jL3-TW!k1rokmPL1>X0?T&Bj;{c#)h zi|kK>3pDfc_C;lmu;I9CrJE-Nj9>F5QCHBFR5iV0Bz-%0zDKs~lpygXRw-|eS2-KT zeruw{JZu^!?8KvJmgb4ge#V<_H@`RyB*d0-X5o_*0+s*vG*xo4up4^je-_o`yO+oC zrOHyL>{HS38#Q8QVrt$K8QmspH!(y}Hz*fGgHHYPAZs?V)w&Yt)RvU!V@9p|klbAt2=kFdr$|Z#?A6{%l?j{nEzt(q(Lqg_sdPzy#1m7(TncVg1dk*sNP`;fy`NYMC$muaBboEhZ zdUx6986;S?d!6Eo^b}Sqek01O0@feD{rU7WLp5`nmaiF%FN|LOH$pRMF*$-*KS~FQ z2~7Wf8!Dr?^E!*Gei*2033nkO>Z@qyEY0VNs(q%<}0Ft6w z>dQVR>G!OGPf3X_-NslTd~t<*gz7`>qo55P$764WlYH7E$b5g9g9hsBQB6l@A~)S7 zZ~v2nDHj|_`#>*o8heGJe;Nj`4tGwUA53l_6&gMJWUN)CpD`mNL9it=IoRQ)a@VV; zawe_6E4v9u7V%$GLDRPLH3{IbR}y*@7sql{qS)Bk6MvL{+SU_@X*{0!fNWDMFRJF` zjLFJVBAxZAZYhoCl>}RArjxIlW#ww1Z)Cpilk5(9LpAqWHS5jf_i=yp2*wW5e`qET0 z4Gvk6%|IXxxzdvcg5hIkYg`Axxu@FMMjY!-GR;?t)?u+82E|nw_PA*#NN`Pc&W=x!c}mY#@y%`jV(KG%G17VSbcbR(^ytlUD?!*WxhZEmQ3 z>tF}x((qV~)qm4F_b_u-Sv&~!C5_+D-Lp&1sJwm5Q^+Oic z!;>R~xz**K4>cy)Ai03%qa97v~1U1(iv8=aI~K(`p41m(SPgjQ4-Ao$`J zrhC@F*(7PuYC1x*Zs$QkK@#$$tip{8@xZe{Xvokg@s`l0YO+%m=aZd) za=pVIFs5|69TYW`X2~=^V0h(AO*H!%a41Ed3MnA+CK}d2OqHqp0BjMGN4Z zvFUu`VFm`H^_C!{h`ZgNhRG`Amh-UNd$#?d)ot{A4o9w2m#}5>bFNmlhU%B7e0q5s zW_|kuk znE-E+Qd-ylYF9j8`l#XB`v|1Qv-%mxd9=tStFgd7V15Ean(VYR#tDh-6UQU(yIL{& zU}`S4IntqS0hg2E3>qB&0PhXm%Q2leW&*RmA?{l7LmQR~whBt6Hi%0cQp{nu(3j>~ zAh_+`(_pD!aB&0jdfmN=qUv)#m=q3_CDW9fD7PFI(o`v!}t3W8}d-+Hp+)xX(@V@q+4d9F{r)0J%o1Zc2AGKs}vJEMZ_Q(yWX`Bpo;(l z^=*gE)0&#~gKurI=I;yDFFEo=Kcm(Z)uA$^6dOH9N%Ua~WDa`TkN13XCbp+c8LGCG z?lCX+1tG)elu*EMKfn!X(r}l>-3P|~RG-ZAu$zgUZN7`gSAAaEkP8|P+rU88^PEhQ z_8a+VqsYb?)|DBQ7TX(x{uh(sl@bqHM5hi=08v~+ARZ2 z^jHaFHcJr4zH$&pn%TAjYoN|uozG>TaVETyQ4l54(ph9T{9 z6+UWBCblQFj#vwvfmBr(sTurO`68*Q=+2QH*8G{Vo*APijg^jX{5qM1WNB zvsBb@M2o5J0B}61L7S#XA3b$2ry5Mo$%oz8*=VxiYnI^fy8$`aA!SaCc$@bpr5=VL z_^5yPj4-09WJMw=oPKtFt3YtJpp%SOIphaJzvzGKgu-$Pl9H*TjL=G9pd&8$ zsE@mZ4bn(N>|G8Au#KOWCp0|~XPomX3l~DO`0;AC)KrWYbe&0lrpK<|^z~KyvwNki zPeDBH)GDOc_XZGW;!c&Q^`??>^YfE6AiikE)$`GDqz@X4iA1g=aazGh!)K15drB5w zohQ_Y$~ZC0!?X^NRfMV{z%~zf3UCZ>b%_r?wFb-gOV_dC1;#jK-I?a(Ij%!SrQl|B zj@)O#?gnz#9Hdp*e*aJamR|&}*}rSPPT%v)>Ase+Z3@9_R_d%b_Pb^5j*Oz{iWwKq z6LDsnH;jpXmSR{uc3iKsPU(rYLS<&W>HlPw0rrjQq^hq=O@?g~FeS{X~Py1g3P%1?V_cTR7tl~|$hW_HMq0hj!(eS@IZx#QN+>dIiotP&` z=Vd}PR=h+ik5tDa=c)@dbJDlPHJ_HQZx>hwF=5;U=El*^}zHpr~G_W8I&Y z6_)i5Mg~p4FK8~#zsmY5%iW&~h4z=twOV6!v{$XSKf$?b=;+`|bQ6n$%y@LprcgO2 zBj~bUK)1v7goq?{JZqYUjvRt5JMl9WV_45OAjRy4i4{%px@a>+Oec~Jx?PADD`K>J zjb0hZF`{Fm_}K!mERaGt8wi866ge65rFXX?;p(u(jxwkjEh&?y+2n|HB;DY6xF6|JKW4x>ISeH&??B6p&EE$}3ok@r( zr#7(qkrHtsWJE92^ju1DWH)xcYet<~D|ruPif~7~*5JJ|77_|!`PvORfF*GeL{V|^ z{frk4YJxBho0X91R|*_j;4%^pIFs!YXD-gR?A>b;8Wo4mgT~FlGrCSl*%d1Ut*F3! zDl`=<^>%>@sK}nCs&n#*`14h$;0Jpx?opc+EO#wghp&;NS^p6}(Bf@^fpyFip?wty6 zi1OziCvv|FRhmg1F?tYU)tq0kC0^kbrGB9esf-Ji+Wc$q{r9Eg9eC5^YFG6MFx!4V zOl6wmpUR7i^M6=!nQ|@F#rM7jO@{Y|Pq}}w%kQFsj$4S$t2>I%bA{OFXtzx^T1Zzq zhf4MMpJ<66U)W*3=49Ym`~11Bl0pOrC7qPHb3LW0v;Sa~<(VF~X8PLKB4*Z}wC`dz zdPww_&4lSWG*%F^8Y?NJfE=)T{+GZHJk)ySyv`g>Yjp`YglZHN6ju!NCDk-^p`zgq zL&*2J*8qf#_f-U+me-&bhk|W%XZyLv3&2FT>GE_HtRqR`?fV4aLYxU&u7?drdoapX z5cZjO8MmtN(1xfx@vKcjT$3N>^EOZDxip$a>$Yb^D+B4SzH9-n-jAw^`{3gffNmZ zWCIYIX#XAow&WtZDo1m3o&z#7YkOuNKYWpB41z^3{Ju))Z@ha7*9CqyVTv=z)QlDC zDr!xurfYnQI4rUsx5L0Z_Z=(Ir**D|Hpbw={iWhZw!h;`F)fgo6?S%Za({L`R`MQr zg6~L@$o7q0;){Jspe7k@kUN?D+)9OGs0niLaq|e)is2omz;W^7;0(~N6~GBqj^;#?X`8g zo)Rz%>mhTv_$PcxbS1>~4Dr(AHK=1p(G<(vd>i=LAaI{p0Fy1r;+5R68%zzzuDG$m zTY2Xcuj85eGZ(+hX_=8W%3q(xWp_&{G{VH$Xza0~(RbFgq%{W9rk5_$ja4U($m@hb z>wB4%!N>8DbjiV-Z3Us9eN*m7(h_1jQY5Q z#6*6qu1;*NTYPPpI1QDSYpf%E(}sCJ zE@43}O;=kJncKIXwPV#$d*P6W%+BbC8?5FLshuYCMthsARfZQ^pjWQBC^Jq8 zXLL*itF%Pod3rA9))SZ=@hu@V6suE0EZ2}X!i+s>Y5&{?LAq23nhv@qXyq0IiA$$_ zcH|hRdh)YWJgI)<&5O39*d)=UXvVT|GcG@VzjLk(%x^vdeh?X*5k+lqI!&T7;iEmo z%!o7m0W1nmokECfgy!^M z0RhmmDgs^f+h%g#JIv+&$AlOQ1Z8U7y0x*~TS8_2IdCPT;`U}+`^Kao9 zI&?*2qH7s%)9QpML_zDTsA)1prIIJ(cm+wU#KCcD>R}RV(Xi%OzC=o1Y!_zng0rha z9kqgxyfZp ztdlic55OSZ+AZxrsMGpclS)F%=FZ>4U#Ss12;AS+6;2H~S%6-TXzP_5XGgr&+HVV^ zi>IL-KiTI1e(sN!DzSrG)W$Glw;TMrbVWReulfoLhz*?k;oNu<+0%>{SEN3G8! zK}(EMW8Ya=mMEVrdkQ3XbdnH6+-MD+DAbC#*;yf?Yntsv$IR&83K9pEY+o{3=x4xa zI>!ExSfz;9c;a$9ow{hbBo^I(7cQeI=ECUR2KzGA4(}Yj+;%x{2yX@qZiy2MLJOScd3&t4PruiwX%A(JEwNLmG(dv(^JqqpKW8Ul zue|RkzrwD@E1BLB$AP4KK(-Mf60kC;*+_=WJNwg)}GueoXD*#h@=UYN&`*Q_neR0zw3nlhE`NktPb_6&6#L~o^ zsAQ&#@X6#KCf^VRP7Q6&>koq+k{lB!{NJucOSpVU_yjT}GP_xI`Nh03UnUwV;uxQ= zMp2zWpbhL()6%3sm%{?hynVdYGBL5nT+VL*RLnF)nw&4D5RtQ|swEXMs8UCei*<>j z$loFx>Gnjoj~m7X$(TR69Cs|j;B9HwI!R_EO@bUxr1k=pR|W_3yLe0IU1F_p2mSdb zW7au0{+>bRvH?8hWK37RQq%h}eu+_vDb?sKdqhN0M=SU_!}e7)U2J^*+`3z>FG#JQ;;c|MGA7KV_DVk_ z#GVjWf8x`4GT!S;JiA-)nZxFZJiJl|Dx#;jrl!xAkG@E|xVyNb^hL3?tq6Mwi=U$y zR@XR!hOYJG^Qbz(0rVJo`>7=WHaG|{uo);(Sprf>rbA3W3bRe@$`T~Ggl26t6TvcU z2kIEgik!X9Wfc|U8gg2b!8ZE6mbe*!RP;rKvyoABwOtHv(-dsVev~ZRkl!rMQxMvi zrCo@}Wb?juam^SDCCWVaJw_}}pp?A0+yEaMbL~#ME@}0ZKpV2|=+DDXHi@c|q=gO7 zCxzJeEu+Inu2)fE3c-(;EARmG4?0f;)41J1i=pmwaYx^X$9U?9l9u@5N1{V zu}sJ0R=b^`J8#CEiT!TJ(eOcUsKU-<8l@A1&v~g^B!}Q%Au6NUqW0I#mF3n_*1e6e z*L=uO;iQMKiHrF-S54cYvTo#^H0yc!;xTfXlx=3aHwm_%*|@lp4&AeeNImh1eI0MO z3v%9ZU(+sgzx@*7(qa@w_ML^gH?-;Tu_57|tBTuU9>ngVO)Mmox3e5vd0CPO%At{= zv!2in=WD)Qjtj_nAHT6{^a~nI%u|)PF>fgGLROABYntSSD-|DeetCR}gt+&n)uO2JbQLU8Fk0^It;}O5m#Eg`2yG%W~I+(<=bE7gQfZb@ahRoc| z{7h35DMiFdEK9HCXApjc7OUIDldG8G%=;Ss#@!<%IdS)^ZK)eoOHwgz4c_expta7t z&gxtL2?7cruVdeJhYZYk?{@nTs4d%l$&U^sV!fYku)^Z14%7!CvoNIt&gW;DG@je# zi;NJNsiY!3i%o^Y#JSr$Nm8WNA*WW?RkEE4Y2APQM)q&^%7ez!!Hpx5#IZ<|56m7+ zX0|od$iVv!4(T4%aVFX?Y(B@?bEH#II)ea=%%T09Xlk0proz)LgI|fi${j*wo?-^w z$gmR&3Ben5mUFE9(N5#Mg%|ITTuHR0)n(!#OA~`e zHp*zxQm2z?PQ8;-DQY$Rg}E{1-#?_mG)*n^w@s+?;JL;JwQ80+51AWecX;M32Kk)3 zs(v7jMch>cVQ6>563~*}Ta-=Sl2;i?K-PCZ9cSFJBKNF)=tj%(BA=hOR5+Jeib{X8 z?3J5ODpDy-%{zP5HX(B2!_hv7R#KCK+Ql6v-X*;FlxlPAW zUOI{U^<-x@8()%+(BWk=hez;?G6s#-!^;B5NovtHf!MHb5%IOf049e9{3BezZWoJS zb65AP>n%^E>ap>)pZe2chBDr-VmNVzxWNJ(Gkfa&aTcL5x{?L&yZKHhqsV$(?)2K6 zQ`07`Hw?+X5~6>ndP6^*DGz~q9nk3Cw1g^-=Q4d%_jMj5z7;T86M$eSc68k9e3B4* zv6{p& zk^Z@*8k>1&TmNYZ4*x$DNiZ?}_R@K6-X7ESwx5wD@)o5*e$Lq;km3ZE`Ru~m^d<_c zc#k99>kot^?YEC+S7|5!C>-i|<#Nq`*012{A03E<$^gbmYrZl%z#mCo5=ktrd0ijYQ*XyG2yOEcy2&bcUl(e_O$40i) z-b%Z)dBe5qkaa0m@Y?80^r6+#pWgPVe)%~Nb^`bi1p_+BVHAMZcXwxFEvv0Y<1hgp|G_g0_z|2*2dKnrbl^K^W3^{tU{DJ*Ck_B{;dq`%~boi{I? zQL6dxS7BeW!MC>@n9NXLHQ#jY>r%clFynUdhrn~A0+XAx9)wSlnv!w@>KE8MxY(Oj zQNC3p0$-HH8=yZ1lC9d$mb;W?+f)uefk8{~GBjBgoXgDWMKQ9nwt&k|iPP!%Ilvekm9k6N)&<;Q&|k#^I&(*7^ouEmD;kaz{U4&%y7@GXSP4K$!?A z`Jq`D)_`;iCyPlnOZH0~!8?AO7nRJqx1~pBd7j+yrSkk%X+)>>i5-i5eD?hhD6Kpi zf@OmiA6WJjKobKitki^*|7b(+jQi457XE*KL>0P?kXJdRk7x$cPx+3#V$med{(D6Ly5-+{EwPk2v0K%Qj3||2SXJustGqaI( z>m&XCV0hA(tintym35z4#~-a(GZW|;qFb!yUwX#ooje3Z-=jJ@-u>hJ7M{a zkXu&a&#GHCzMGDCH9fv&SfC^bn+~qrj?Uv3hL>*Hy0g%H4iL%4`mQf8{!rAtyy609L**ktut#|%qcjQi>(+;NdPbMi>r}4? zZ)%RT9B}Jhzvca6w^`MR>wl-Q2m;1HhketFWu3Do(KZWq2kNz@q z33Z7y&Dd{+6*-JkVUgAwCZ3nXVd~8O?|)ChH`j)$;WO~fZGNZYy?$K3ek(L&sP1g? zKaK!4_9Qg$we9bPRm;vZZ>?R*&OC3%8oYS{zd7~i;IWLuPY^Nf2h?5QEVGM2_3Cn$ zbpd_b&K-{va}aPM+s6{lm2V{?|88 zud2DB|GQvmG8fUx>ytmS1-jU8p!l0FxTNBzx2G>SiCvWg;kSRCUoXo1vY}^_W-QHc zk#=8KtW)>(y$R_RjsHGCprX;Fh5EOfKle`EL{DLV6N}7yFit6J&io$S?%w?(%1t2O zcW2vP}m&RWwBfRaAjU?vtKPuPptN(J} zkP%ZH*PwHJuAxUd@ED!rkKg+xO~+g7L74L&FVWS{h`ZKOo+WM48227J@rGK94J$wB zwUVa4PfV1BQ@~qDAGvT~5uV=&Y}>licst56fsi7O{=ge0cbb0mZvN$ak;{`{p+{#8 zPZuuleqO_92YxdC@h!I7OOBtp`I@t8$Tp(EtN!EeVS^3K0GC&PP^q8x1Kzx$)@XyP z?8;!-QA9YBy@!Z^#AZIF8>lx^@xhD$eThAEu6btKJz3y4InO^<30tbJxfpCMF1J3m zo#{$1Q8X&US*ye=1-I=zmG^Me^W=A@h2>~RFW~@b0ng)PZ62lNWvQzmFwF>Nl{g&u zd&km_`aTd4NbyE3EycaJ8=fCD&I&bJg#W>Ypjqk0;TTKj+bl@{x zj)Kp9zz}&+{IH9yZ8S~Dgrf2yqusyv4*SxxKh1fVng}s%QYBcCX%4hD_okdn1$7c~KuL%&KauNj>r}uTrdHiv|G%Sffx8Mm)hkG1fA@KT)2Jcv3WR+Y zlNT?9=Kg;-1-8t%jSeK%shpm;jJ5;RHgG&rO2=D04Ltw7_NDWlgs&bjIzS=&0AB(M zFPf6HN-CbXqGSKrA^fORT=Vwo47&_ie6BKy7yIXD!wnGuc4S@OHVIL6 z;Po+apg)%(M-r8S)wf^RO)EQYE64qNpf7GzHIy~DMK$fL&DR(LP8@zS_`Yc>mF+`n zuEmP~tQFAW6Xmh&Z{%*R(LMyYKGX0C`d>Mx4~9It6GJl#|FN>8 zq$K>w3^u(_n^U2|5^a}119bc!R{&5+KdIz;TUh7h_8Mx2x)K2_?f#PPe{TTmXI4eu zO3^CayL|zj2#9^11h>Ii$CW^R&r91v>i;{4RR~XZcNX`~vNKKrS{!7mVhT0Tc83xF zC7IAck8j}X+$ITQ7%v#8dFbtr0RWLXqex+sLWumz;ID#9bHS&OVF`AHT{#4nSo3EdL>Q2tJ`hwQwDIrsp z;N{geks$}^r<#?uwd(S>Mn@}>0Lgj#S#j)_))iWnk42f_nZRACdHL*{es1@Gr~k!8 zf&s#sUrK9WtE;GIoN#rDE;+5I@HLAzyQ`v;#LSi z2b|pBcR#|d3(q%*VMAb?@lXJ(DiQB>wY4qW^=ShiELYH~5MVpTlor2HO+-*0`QD#a z);mC5=&WkP^a#Zv}(| zMw9DQm{@jCR;NsKdIQdaPmTKED`tGh$RFntplk%x0#F)(2Wso<_kacxU$WPOurMO~ zPoRJud3P5O0&|@}i}ggM{<9XUGoL^1{c)4?8|P~udj32K8J0O(LM=hTzx(UW0{BF|e!@s1vd#j^>1KKnD@6ua}ViEHPLKgG757&Qc{_C0Js& z=jZboZcpetR93n|#o=Be`MG0rI{4cos;#XfR|li!gsh;JrPh`EhMr!&m3~m;tXU+NS>MNHMAq`-hVy^hMKPta+xv-%O z*e)>5`3loEwfWNrhred7EjoYsQ`%0T@5fS1KVK zGNkw?rmSJX7Dr+@0QX+dm0Q9Ci(I6DO?s7v%>o6hZA%wBV zq0`@1e;C}q_nwUqMnnE+LZ-U^wQfIqt{A>E6^w2EAbBl^<>qH+B|XM!jyA1qrTzP@ z%1nO#n1-xsVhf<n2z&uyF)>iXtc5QCeLrK*OJsz8$T@#Z z9R9w?@5{9rZDEvX}ZKX56AqX-la$LCZ_BG<50V`2bZ_2r%lWU8!)41TiuY%d~4f!OkoEg z>+qKv&PZ9SZzbE`zf)3Dz9vYYXEu;#!kRD}@0e14g{NUA}26;KfNfb$Ode8BWhgE$VkIm>2 zktjtYXG~mKbM)j8rz8jAsDNB+YdLm7}2AlC46LV!gby-8K^h)Hb+mv+d>ml z%yedR=I-Jp`evne6p3b}qihP^ki=tAH2fV5_&+99x00cCj!cV?cfFTF#pbH44B9}- zednPtR@L{=C6X=)1UiaRy5igcHtB?syHn(r1#l=MG=`ZL4Opk@dp0LDD9e{bg+)Yc zTZ8=F-9<7^z41|0(p;L6%@cbm+PI zg4PL+c0*Q>Wh~K6`%aQ7D(cyE^fo@Cpecf^5PN0&LqI7mKQm>*G3PVfQ|ryLrP=uF zp=MRfW-e59EBXh5Ij3N*rDL+HX>R@@j)B*indGW#-jb;1Ynee(HDrQ_uyATu3=L}s zF->XYnbZ0F-tD0-2Dz)thbHl^C(u&Dp!hwKQI#Xe)p7p!h-dN_StB}s3^L{2`}dj4 z^hMGTbg+FB&jU7;LVw@t>$v0`0*bM)mkBze09xiM#A@PRl~};JR%$l4gdPTsjC*$R z#eh{%62j|Ye_CU&Z0IGv5)*bOUAG*_VeR+Q<1Pl0(1$!mOUJ?;YjlKc*3MO$kfD1Dys^wAa&`RE-}edvshpz&!i{Ex<>6_g8bqMIC-Q)|)of zJhB1a_d{4zcWSw!vXYWv3N}G(N+gIfQL$%GqyzUeT4?sVvvb*!D9}kYY(U~gX3uRE zcw4*^ooKuka3I{l*~sj25k^|D)8Mz=azND`mBFw0K9JPSz$YfBrtWXF{x-em@WBb{ znGWH=K|~Pula5#z!IpyHsU<*W?gH~6Zo<&e5D~^rbHarRExj@eQjl??7GE=3e@zGD zwZMLZetq?tq>?;K@UY7H{H($K+meT;s`DpY(;+cikVhP&claUHXl)67jSfXuCbXjc z7{e0nKiq3b(H=x+IFD3bK)ePi7R~Lm)aJqfj^&8x1bHrQBo6K4<73tqevE>ruM-1% zxJ;C}$qBv-R1o?0Tj^iq7C3oLUOceH0@e(;i#SFEhF_f$gK;cX2bnj=pa|+gkK&*9sebPYO*KR@!BsQFT zanA_G2HIaTMy3O8ely&WbVo*!sTmtG`VA*5X}|(s6vRC!r*N7;D_a3Z2@RVJc5O6pR}IK_~5f8xDckXXX>EzH93Mw~&PZj~~K>;TUqu7QuA z|0*ouu%W@0?0i&*NS`g|#g@U$me@)#14UV$x4`_Wvu|PaO(0@y7^`#0&CNYieVO{f zy?gii`uax5@4*c!o_1B7Os+hM7S|MIi#%5%=_elqb`4KPUlmH|*NGw!8-k*!VsRq-TiFt@1NEwb(vXl|UdljmM3?3GX0sfmoKDV&& z^az!2_*!%yEI9())&gZoIHlPW2cZGT-M+KNdjX%j3wMqXC6l`J`x(#w4XZ&J2^1U* z8Mft^fofP|O%QY7YIoS9#2Km@RtHxp@X`?xB&6mDDM}748Jt~;N;X+*u4=HHyIFDz zT3&N723Z4X;_lR=i-MBVrVq}-U{znAviV*YGOm*E4cP?=LZ~R!^~GlFn_l!1f88 zSC5J$_1$7?NH>g)2?BtS>dFLvt0)Xj;4iktM^LhX8u!1phkJ3`=4-@gy2Qt3^ZGZ; z2ZV|Q-S*zO|(y23s8`GHv_YVkSM(59WqZLNeN*J}F2|fgOi7_SH?xj!RVSFw0OfsV0 z38ud24+<31Jy*px&Id-HZlbZzhm9T#+3aG8+eg&a+P6G`mrKKwLyVzhaxnlxL=XAon*>W4csgH@wA4ihN{aHlpN5(b1{E$d*4WZuLU~g5Ov7C zM|}X30&ZtqgEMIK4vMdE^U-xQxek?p%z7zTp}f~*Ms~I$Y|-(Vf5Sbhdlh^kE;dE8 zlBdiUDhvHMWF-Ewx3@Scf+xP-47P2%N@aHkaRSglTe{N^s8{`XbWvE zc5?-3oYz&B)c^u5mRtFQzyPWENGnw-V4ZTay@_j;yP=2%q&#d0J9a9V(jxd%KWL31 zmP{0uBO7E9ho|Ck=12S;Ae$an;dfpM8o7P1TbQ{`LiE1yS};MroVz z|0J3~cGS?EfO79#NBOk}8bUjx)|Wsj(G7@$J;%8H%;{Tl)$gjAYwEa}$Lm8&l2A$z z?2aS?eM0JhcB5&vcVaZT#;wcbdQ1$7PA%qe%R7U?$e+HatRe z0uZbD;4tRIahE4cEl4nhpcD9E9N_JMWOQZVlp`1oaPF6umv5&0ZI%Z6^DOq{8Qr2)qp>E`6F zzGGU+t&)u#q;sdTrR@8m-l4lz zr{)5|*4Lj}YYVh~vmSikIWQf(PawU0bSVrWtS){;@$3~SxBF#fWRUu#b6e7uRqJ~e z-=bWdY;-H-Zw5}HUKKUBu2PNV{~Z`f>AciFov`C(OMa3Pe0u;>^tMroaxRRPECoK? z0G)%kK+!i&961ZTXVx1)Jyz7xEPGAZPqz~p6Zfmx`%}UooiBxeNlw(&qI59p!?{F> zoa{>m5qxYs5Q_;4Dpx_LImVNX-PpwB=jJ8~q=aDWsIxMWra&|KVjhhBVNXcYHY@EL zbY<-KI#dJsYJ%Z=6eBZp%;DT)HxyZOa_jjAXEmGejcE-GWet(9Gg06HFK~G{S1+Fb zUl%tW`X}BYQTe^S%x0he83qpvFb5bQd#f_5c$Qqh_EouHC#Vf_2&O&}jCNQo3W0%D z9U4SUm)lxWT{j;jIZ$~ePS2!7mF3Nz zi1GXzu#?$sWqa)kWcqx?zkNo=u4r}&-WGfqtS}dQjlhI}B_|BUxepthf!_lv8#?RJ zpWjN&pTwcIhV)L;awwSD^^T9T7=eP!DW55r$2L(WpMpl+$7m2X4OCIN6B#kDp*E2G6#Ie23*Vk9FS?)%eYN(gAOIVG-P66Kp==ek z-kz{DoV9x`@H=Jw+MzKUR8ICC7;N6lTO4z8Aa6tH$Jj~(C-|I=Lf}{XK3$|>roIt0 zD^sU|JnIj3{aZFK>u3rLCzpehJ1f-e5SsPN`ks0~i<^@p;mj(o$3FhJFjLznE%TdG zPX}~{bkK@>#FWHJF#tV(5rA&!?9zIF7K(D5FHj&%4Ge}D?R3as8#23cfao;{t-95M z_p=>D{GJc=$t)lmRpWpjFf89^Gzu)V+&UMb`obx&7SRJ`0 zIifd}zD3Jn5yxE_HVNw!9+ug`rxz^ZKzCas1%>0}G2q;a;1B5t8Qwteij$HgpsqXn z>sc-u@zh)fyMRGnz*8dKA|KE-lU=<-eUPwG@q)R`Dbvl^D(*F4;I&?6(?n7bhj}ITbpMUe?TMn_JI)470 zqFEo6ih>4<>muVp_$O$fz$F;c{luKy0TDAySc5o{dcR zp&I#aSv7uI%&g<<%xhZ|!zZmpm@m%FH;oTo3ifq2zE#<5+>8m6AjsHTFbKSchWRv1 zm-Z8_gVZ9~*N?Hmsz6KF`}rx5#OtY+`Gkao)YR6Z`v^z%{s^Reh911(rV&>b9nmyD zrM3H@-2-P9$tvTWV^^z!7EHY!_vBCKp1(8V`Wh_csItW~oXIbghj zp;cL|eCSY1c7^L)qaRI`&6*C2Q*|`x1iXCi`-mRRz;};W+Plj4^9Pr>sBceb{=Qb& z373AT>$Gw}^^c<7x9|ElZOrY?d&f0yQtFxCx}egAw)Rj7SJ1}YSMMz}d9>+xu?9Ih zm4$^x*tF(&7^{cN{QvbWzLDnKYO8t_RxJ&&qixz#AJM$Tz?{YK@& zG&ucdbf=_U->{XRIB3DB=zZqR4#Ep61{tL;AbH*rNep*gxRm9scqKz0{}`J~7_p-@ z`_v=Yc&%2d96EH!%S)zDC_v3pmxvsFmCRj+O9(DWYVF9d#fQY0 zsmN#LT~)-_TZ-45@2=I<)NC(0utvqwco9a}N6g+02iXm0n4DPP=p=C-)UiQw%Hu`NwgapLw8Zv_)%+_LSX z*^pF34X#1V1)mcm)u!a$1_jk=VDFLAXguOgvz+8?2vWD-^`V zcO7^ZSforVJ+)C`;*)Au?@m<;2YkBm(4miM%In`71db?%)hla2QyvhT74?83#{_ObK58#&w#DrhLmI zG_4$U1H&jJ;j$NP5ZB2kvf#Co#Je(44cmYo3AMGofDRAV)x3g35mjk9hG9w4ii&Hs zNY^XOdN@)*M$rym*OqXblQ1Bv6$?*)(99ZC(_y`BKRxhp!gHThB5#xI4#}kNmz;OY zcI|U`Os4{SM%#qi&{L;QMa6T!Bb!L0BMSO9l1)$#N>-s={NO4EZ=kKz;aIY|x@sL^ zIa>9}Ss2NBn?b4Py0B}*vuAOQGm!jnOd`1!O_omb{9NVvd1j%p{_^Q zf2{rSt*8Hxa1?5?zBcX#&iob-POr4U3@w!u&Zbtf7zYG&Z$f<5$jIzNVHctddYdm zr3z+K=$FebO!b~xW^^x=_^gcBZ0drk7DMOS7w)DkkCYB`FC@5`I~u7K#%WL-uZQXSVvX1$g7&aecE)-P30Ga54`SNm2KdDkkVjC)g;k`kldBV zARU@>dB3#tPI}`Q4=0t*u5P!GFP~VIjn4G)FGJlpN*uq#BODuOZ|NI6RC$PC7O)>A zk1eJRud5rBJ~|ZGY53u}`uRB@7^jfemP%#aw1}-sHiBWu%3O4j#V{J zE^k#aHcnVppc2Dy@m(pm@=0ywI?UXQPUBih76>X14Gl#W=E1c1PUD_6F-vmRE#2yH zsu-q#jSvo8*?Fw?Ujnb}_Fc66jeF(8j?ALhSm=~R*yC>tM+Lq_Zddwr#l2VhQ1{lx zP#>nGveMG7TrH*myp9m+m1QZ<@~zZcPou&#bjb&m79=v4$YW}Fe@n(` z77(aj80_Ys2{t1M@pkQ-l>N%L-qS1In&fyOiL~p6q=y6LE95Ls={Pvjm!IcX=b(Ep zb5wM3>v{zRKMaKhi|}|ssP)1{PfK%mRq9?^d-D8pHi=B6Brz}LGl{ujur;d%wXDg3 zAvD%*g5jAWBvOja+R7SA5VlV+>;6kcE-~?pia_Je)8<8@`8V5;TmD)Z@#LuE`J2OL zU%p7~piPJ>5#DpxOo3+M!m*yF1zx;doUs{PrD;fGK6tOj_X*)Ee{PJORr(71-IA>MDw>&!B)D)nr*G zQ=(|k+m9b_*)@@lT9YIt-BE84(*B9{J|~lD3u!Z#`N@!X3&hNL9-sknRKdW2)73Bm z#+)1IQC;tN#)#_#-F$jmRn%&p5T7?U46q+1B2-kvO{SOI7Rw^qlgq zrOG0L%Xi6G>FF^BE?s+hF@yYsx0cNk(cY)I7v#DZ8XUi?EJJ2zXjDGWwa&!yLR=hC zHc!iOMQw@l^Q(-R%08NX3R!=5 z3rEL@d#qvwNEb+NpvMyCLmsEPQV<{G#U(Y|wU3tiXl7_wSc_lBQe$BoZr!Ey^wsmf zho9sQ6N_67A_FQ*gW0LepL~iLN;B`+BU<+P_&LI`cQ9OrKc8=4c|&&W1>wFTjixPnkc zO$yQ#YE^nA!J&F1$oTmVka{KdRc@Gh>F`K#xXhlOa0wm_$X*#JJaFWi!p$?cUsQqC z_-dq|d)J4b9z(sXqlJg+^T}Jc?vMAUqEWgdQCr}%jmk3QUc=610Vhse_7hw6KFEuf zOJT1gDg1oYFSCkMNgq zR=9A^+Bh_sr|89YOp@ZUOT2YUDiAxc+sy1@_jQ38gc%HY##7X^g~KH{a_!MirRVOp z89Twe56dviIaxk34d(c!^>jCvXTZ){`lm{Fxm-!Ro@^AdUkIi4M8fA-y7ITK*IM7h zyOW~|PLxdj~NcvUD^#6%o(kO>K9DI^Rf(rNaN@?X($p-c=26 z>wrwJrbbCknwjo|RHf7ar|58(=g$(%+z|WbmZBEwERSy@YDvF$Uwi z26SvI*RG|{Wk@{!Rw-TL6Fyl?tx~`KHQdyTE73U=j<)*{A9UM*5U(ChXCbEdR&4f|xvFT8vkz>F_{|M<1zNYk_9 zX#w&T>k>y?_*9&bp{oAOv<1G#)@t6BUwdwj*KcV%og1@bBRFdqO>@%!#-nmA%|}O= zeBK_ry@t5?UxL`FD{Y0u3SKT_lmGg%{zzUMM^anAU>2hNpKU(%u--i&YLg_Ca*jOzm8iLf<3l4jx#9l`P*k% zcMM~^>KVBYf^wYNsc#$lx;nN^mIF<75trm|8F%SqAy%>X$C}u)mnF!R8(Tc{C`DGF41o=+qxOls_o@{)ZP+N~ zT<2{?zo%flxIbwNE>~N~>(-NZb68tX%urdqLc7f110k)1 z0vGI6`Ksb~dvUYg4#0sbrA*ip@h zzhTV2?P10A9>oUjke9?(+-@+QU+Uwd%Dn5vGPcd5{i%iiQ+spH!5R7<@rnNF&u)(| z%a;3B2heX};Go>|h(a=LNQk!ZhV_$nUs{hSnryg)-+uRCvSxemf^ET`)%;Bw>aGik zE4v@jROZzyUZx3`n|OjN7a zy^#B+^rpN;yD9p!BF_2K#-4YqEcY|MgH=Ww;K<0FqrD1zY3h=`9o4mxUcOoF8Jv5HV3}Q2VBT$5A0zgmTC%j8%WtFxDnv8 zslW1Oh>pkiRp-2_cruU9`IR{5LYCYDm!QbC{-rYZ&wB4srTR7($oXvPQ5wbS)T-qh znV2=4RNtGVuNdo_{&B6Sy4+deOMuPb5;;|sHYXKV7}v<|mGF$;`1ysNls_Tk_Ra1? zUN&vhMuN?Hi?EATmDMq$-!vbQucy!aJEi1?I_ci!D=BA=MVfo|NA#>EUK-R?Ha+75 z72aj_Ypr;Lh}=^r%ApumbF49Ke#|c)rZdPqNePRjLY_zHHH0_NH4HzbF%F%gY+#dd zN)t(3HpMl{FwAcA_K-;YYksKiqaL^KbNjKK=VoBN292AvS*KgeqO&b3}d# z0t^LXARM%qJAxa;ug#_G@_&A>$f~x+GvHXk%O2a$q{47z8WD?VfOL;N+HU z24lLlRln_M2o)%;Xgr}y`D;XH5}vcM0b=Tg&hgC&yfe-z1)PXS7_0 z$=-;e5ykoMhldrdYZy=-Fc!h2(wBj733^XY4LbYhjAK1uA6Qvxg$Uu>xgK`bOE2FJ zGS;4$9U&3$AJK2LnXIMdV8>JpFed+^}F__yKd;pwU2>}iHOhi?+~8O+f#ds@gfOO>S%k67bx z^+4!`xN;h)>m>D}MPK`$4d?k!<`CQX{pU|4wRJ~mk8=0$VH6T(2^%H`ua3I)#>?^E zF)9o;>eJ#4Y}G*m6x1ufv79|wQ>x1_UGxA55jC4mN39}C%x^h&luu6%Qx2iCvn9t+ z1kxZv{rU>ZkbNevC;#YNJ1u?a?LG9}8cV~`@XO1Wncg~BJ~ftSFwO1W>0n#C#<^5) z=T5M7-$XtQW^bRG|3iVh#&)caNC zx|3Kb{zDAuZf0oIDv+Fa>+4r?)2OZsp!3mV<`&_RkhpHr zIR7L{AK;spe|_QjYs;xY5stsjBli{I`3s0DZw?lgbT2wl!KgbaDJ0a>jJ08ZQ*d`d zS?UtuWaIET$IHum+q3o=mVXupz*FS^^JRzrWA4a%C3zrzLZw(CZT)3^A7dHrv3GbmvV@}I^dqSbefi+kvBdf5mZDMcLz}?X z#U*Muzmmm!_`WfH!ohs(>Oy5h=xG^-ookbmlRrO~O6nJr`MwBYnM0GO!o&4Dgt@yu zg5QREd|X6--)Y{rBK|*?uE;}5LEC9@7BfBlX~f)9E|g+OExYR`ney?ryn=#)LzC}c z_R?mZ#=*UR|Ni^;?|Y^`$7O$HP=AZMdoj}xbIcbK7ZdybGB~i6kDHsyYt@=H^&L0d z*I|euk;q5OyQB1xQ7IgAxYa&HNWF>L!}3vQ zEz{05;Ig5`3VN9xiW=*Fd-Iuvs_QcZ%y;LSWD$R@jEFXJA`DE2p1kXRi~Hz!DfIGX zt}zZ~m4?8eAWYrP!YTSsbgnf>;--7Bypgi2omwc&XsD}OLQkJj9>{Pkl7XH5Vr=Zw zn~sK+M}15l43>^PHAO-eM12Ip**&>{#y?}Xot|CeAc;dh6l%wtKSA@PBk_S&S>oc1 zS41V(QD0t%T8C2Xe8?kWQ%|MGEix0oEdWi@bPtme3v{V>^py6}`Q@o##|M(%A?`!{kEYDwvr51f~ zgHN8+8=YbK@qvMX@`-K{Z6}UMaB1FRpRumG+S>Jkf&)*IRaI1wl-+cL{#;<`PET)dnnjD= zzc?MpVi`PithQr%>RWcs?I%xfB4J$Bo`mtwv`6^59u9iF1>oSv1$sN$ENoe@%(ogtVZT`w^@sxmf!uB(mAWP0EU z)oUufj`GQuzkwe4s0_c`|Eyy~P8(UQ-P5;aVo%01VLk$=66pHyBw|G*pUkizD-@Beh zT`H<=l&#M^j8;~}<)6eOM3Ln*ynXfRRVQXDHKp^}zXzwTVK^4{=+5xnml*xBIhUVu zw7!(%dm2z)UVi%YW5`NG;MZH_leu>+9$nGD|7R7`1^GN$ae_;4NkHvJ=MTKQUvd{f%^CDyFgEtHX2GoqGQ z>+JXCg5qSa&h*4b#j>(8#*iHU6Av#>oqm*QGV^{VDj`?u!fPH{c1_l;x?Vpxx)MLOU|CjzHd+q&`%yZIyzqsK;*)cPn_UBEz2Cr^7)T3 zgRYDN8)jUm1|L9T!-j2-?BpnS+zLHQ1O)}z#jG{Z{?&4xLBIB#Bkfyb?*Q-!yVKI# z9QC~9@RR#$WMPTl_xp7qPtmlZ_qTVPTiYj>PdI-+upyZjfv-{2dY+Wf7?y8e=(ECm z>x!+FZ8tkGP9@ySslJ@EyL? z;N|UYWf`{blHAJ3)Jtn5ncAdk4c6(I?__?Np3aAlhW!`1vZFKaYF^u&>FHo8i}qU} z{#w0XR~^)-QT9Ybzk|ncIcZ&oaf*f-TWH_!UuFxP>X_a~zJqS(U%$E=KV>Gq)%UE~ z=3fu^*N+_TfQACQfLyqeng99MX5NnS#~ga7vk>rdb8{>3VgE1RPWiK@==6u4VXH)9 zyUYKl2ebv()os%+9UXNweyVZpueHrtCgo#~u6Tkr(zL)9=H})C3sC}Y`?-zhOpaPg zhGjFjN!z#A@F*&Fw6`0leB~*2;K_C-em2hc&mXmXTV6nn1&v9?4qXoax?RMA0zxcg zw3N=U@!r`P9j@+=;Xt(lM>#k+3a*Nu5lvd-&c`ZlD|A$|yQJb#?RH-v(&YVAgUXVr0+uM8h?x&#JHC|6r z6;sH)h#iVvaHhAX#|Q)K$%8s#AC6S~`clek8GYN56FLYY{--;0zSyYVSUr(f;>4zF zTWk9V24eP;NQwDwu|T3)fCx|E>gkS}n3z~6gw$MaT|LZ`$V(;%=@}TDJQa8T{DyjR z*E}jG`^74i7)?E9>;S|K&cs7_1n>HSi_Bs3%_imfxhFffFj7*)T4 z6F+7TMoN_K=vbO~Vqziy9m?|8jO?KE@c5Rd6-P=73JL<#R3j!Nq*1BkMr_9Rx8 zU0CTPSue&I-MBX;XOZp1urSGm0d)lArq1=`SD(gCcF{UGIOvYxOz~dJ93F0u2669lkC@yA(q78;OM9~f<3p^h`;^l{N{}!B6-Edtm;sR-VP3Zm=FgE z*&h*YBbET+!p@4efW~sf-92_=2%ZV?7!c&{w6a}11~L4Ux|Gx`RM;Lab}l-a8*2=b zJn})i&G-TH3g+m1W7`z`E-6^o&@lK^TztGhJ=uB%Cnu-$jh{)`JOToC6W>Q%ZYpTw z$PAKSyfB#%)+3SFmiV@qxW`5<*o#L%0QC$`=hl(0n8FF|~ z@ii@=*4Ya4lh{lgEbD(C8C+t6vC$*$3ZxV&tY0r3E+%omo}_QTfPN2QB?!UrVxQL) zG?KCZWIAQHSk(4Hnj&1VI;iJ!=g#4ES;EpvOMOsZ2!=*f&X_fbhfq@j%8*B|elKp4 z*u4HyLLhwzfdn?p?jvrJYffPy^ZpI8vZk@2A^XgE z)v8te^<)W$EwZwYlN1#&tSiM^GXySMPT z4NmXr(jk}Z|M_eQAucyim6&s6bMM#Jnxqu&eTkvy7#PBSqE9e1BH|qO^(1uM_mR%j z)YP2pY_F@RFP)s2KzMuf$4c=XJ9gBt9R2$BE2?g+^saG{Qj$~oig5lFgsh(}NGeVLXwZz9F28kunA&hl;V>+4f_ZF+t0@xYLf@ERHB{kDr4x4_?Bq+c2zzuK5D zMb8d92iN7mfdkSPO-)P?uOw!2e{_#Pl^sdP+Ehh8c#iMkLjN-Gstg0i= z;gA|}Q&Y9OKYXZzdPzR&<(2JBwUmx7cJBFIMkX&M1wy5^*w*$Vc*QGNSc-1lG8M!` z@>ujw!NN*z->zXRu@*}}RHw~f5DLFv&Xkm*H|Mcfp*1MgOe9is0#Hj#7V3{F$B4e| znI7}jkw`pbvNic>f&ig5xigIqpa4dYxykNrclSy}lFZEyAVp@f?nmd7oSYo!&l-i+u!XW(HJ=Fkb0Q$XpzX`( zXbf?Ht!-_|+ACMAsG%I7r{|5EH@M|9&NiG6?)K>u8DB2Vdw6BoHy_IoR zWnUf-s(A1K0ySs58f=*P!N!yi8I8J^~h*8t(rNRZ{#Qbey{@(l4E@>!w8o>I;d0V#vF z3!uM4GF%r`h{de;>r*1rJ*cYM>J}?#UZM{jq-LEM>JqL_(cSO|anilVU=_gQN2I~l zHUpCC;IL%bGWN1*zuwNy0NE2e&qhZd*GwY>r}63+!a|KeU5|hN@gpl6C5{ph{$A~^ zTNl>p0|*E*GqRp9EIhJn7jvJ*fdjd7Wi$|ufqv=Rw|k-5q9xG{0sW!JUW>wDz`7xb zllo0=?aw6u52r zr3fDqPw5;Q;$&dZH8IKFVX)KOoP&|^9gta97ms7OWR0ApBvj9>j0{|G*U>kOq?9I& z?M^UkLDh{+eVu5=l>G+47OLcmcy=N65kEr3l;AG5mO-=nNl7xY#{a(b*@ZltHt9l- z25KiM$fF`)`)ycIl!1K26pt6>vNnKFeH(AVZ~#>jTC^g?*#w5yWgcMz@n3cyAc+=X zBzEoGc|y!!_ijGu7&XIPy8=p{H8tIzmRv_#Q25L4Cc{#$6yf4h!ULZl_4K5sp+V|m z^y}C6o@NEsU~_k&5=+fns{FzQQxupE>6w}m#rc%yrp`&nxk5~8+lb3S1+0An-h@ueEms0z?cudA=$4}8&sZPEKCBP)wL1{7~C z{YP;(G9iwFgM9b?-8)9KOlRG#qjS2-G7G-@(xn$R?K@#6U$_0DbpEw#blnRTAxV@a z*325H$LQ6h--crCBH~V@U%otV|B|!*l!HWBY-<^WWx>QM4#uWXqhFZqNn6{=Qy*a| zf!X|lrhz~nH#9gMJou36`O~Md(b4GPBUo``xRZ{LpZ@|yfyb=!JGX(cDdc)10ZShe z(j)Falkf81!R2U(7lm3EWB(0I39L1Os-~2Eon2ikI5^DV zKee<3q~@ih%%^#a=_lO|sz%rMDns!PnOj(JmeT}>*j*W&1;Mt^f!TfURuNY*d_3@6 zfH=v89fF?e4Oirsb$<7IfiS_8XT9y}l0a>8S65e2ktDl^kdP1*D;ntVoz;B0iQ3T6 zaEv$mb^r+EX9O4-m*2rvR4nD9fgbKd{RX?i7>pYi0lMLaDkqqfxMmS|-`vGTtj_|f zA86_Cqb%eTG`XP>8(KpLEQJ~X#6IH$jZXwz!xcop6lH0ig&X+!`Cn~+rC!+1j+;6# zAP5cDbbS}IDU{ATLg_#Wun3z8P#)XZsFsj@^(tXCQsKj?zV7eqI}ee-K`*QRg{G)s zv6cs5RFAEVP4=#HZ*5^V@jUK3!f21t{OVQsonq@+CVF~$0z+x^%wnj=s6{hq>+FgR zaos2`&b&VxgJ%Fs!-d7fnB4O2+=@|&wQUdI;{`Ep<4kjVduX=hb>|=4BsRA>DzyO`z(C%wZ6jmvZd6s( ztsv0LVIV@>Mh_3~qenI8-o{NA9%Xt?Y;Z{7wiQbN=ttGV^A|510Bnc|k0r`!x(P+M zI6fW9lzcj5R0$$NUCnC+uI0^wObyd!ASZ1bwvbOmTrKMe}Q3c4A05gNSBG61?&mC z8A2^^me87t@YFVk(|!}?=1#tKYt^nQ*nkB|aVJCUR^-oKOsjsu#k90hgkc5%OV)0C z`jmjHO;FSHZh5zEd5n+t{`F*i+ghkjY)Rui)TN?~w>4|qa5Z` zMRaU|(rbad^igUFQH&a3m3{ZF0;VKkXCe=MrGrxp1@@{Rk7i*ektVN4eg>SI(LFHA z24mPCisb?z6WBF2Hbwv*SBF3w$qTlR&J$kT?-P9p@zJm948BjcwFKbAe>ZR5?CakP z4UN0jLz}UIDkl2+_3PKJ32QT1Sy`EznRP9JOJ(m64^2mL_Sc%)Y9h8ms8~K>VY>aN z2!C4|1OmNpf-GUUaC7b?YZ9ztwkPNjFy@I%uw@`a06;c2?qJ`B_XHQ5ZtM|y(OcYp zc6+$3tqp^%;-GZ5xAR;KJO_)n&R8WYuJ$b@KnCXunKBTMJAp=Ta)_0jI zcu|s=9Kdmm?4`)a9{mLEbZ7yD6<}}J$;+27M;aJC0o-mpJ%!}s&0Dvu=&kqf2RPh@ z_|Rzb91{%`x!XWQPR@+-%#|xoinTp|j(7r|iR??hk?#11$4Me{kMm<+-zgWoK+1i< zWxO)BCo3nX;$2I7d%}ea{fH`sp1JyN)2r975gN;9Mu>pDZ|O1E=&(6x3*?Ke>{X16 z+{6YeA6H30Jm?HGEzMrZ3wq<&Kq4;i8yFCHuqWni)X0}F6|@94q1gdT4wow~E)Iu{ zhaHN8>+B6};_VG|&3-*U2oPXSRH~?vY1tFli!0*jz$dWl(W6HY*RFYlVH^jlB^1)1 zhh>S#+%OU(>=NYX9(su25p7x9N=izgYgvR$0s}Ozxo?8mcDA>_e@$THMz|Cd0n(fk zc5_PPg}S2L$tO>AW7apM5znB?%wwX5$BKpixg8&eh9X_6kHj)0zJk@7n3#Yb#j_Al z1iY0o2(7g~vzZ+#$q_&+o908%#Cd%Z>2<-Z#t}zRn86t4CQ+^DP;m?F92``7JB<7> za7+wpmB6obm+#)?OcPO1upnYOzpOHA2hgeR5H6&|v9o7eFi;1ii#2Q32(f6XtE;=a ze}(Pkn9%2aJ1}rDCMGbY>Gf+4d?yDl;qOdk&iXqzL})kS5Lx~G{bRC-!~-A6WnSOf z)|trV9HEiw!1G#@a89nSu5eVUEbmk8G&W{sW2-xRL;yGUfTLr@!Swp&qe~)Tj(boavr*Mo!LBnyqebHjhF&5axt<%U;)r4P}@7S zv>Xo{sA6n_KDl^N4nVi~{8gX?=+Ff|KSFgkM19@;{zv-|c55Q-|%7_;N* z^xskmxYTzL4hm@rrm_{2l(h!fqPLH|jSsOs8WAjhWhFjdjk!^6X149cDN3jg1^ zk}RUhOC2VQ#|b9=d#h($zw;*ayGg>6M0y zgW6(GjT;dJQ7P^p9GrwEu8sfsJBu>XapaP`w>z?nGAkkM>P}8qVIGNig?uxQ6~}<> zo;`a8)()h>og%=*6mxC-R^=oK|2OdD$;47y%lIt)13WTJNGD*t!p_!HA3l5_ z5-+1k|0SnKq&$BwKp4?}-$Y()+O?;Y{OG^r<3g?%c8&h|^`7a;wLzb=`_SM?Lqm$k zFoHa`-KC9^DgF14t~?EwNX1K)wMaDP3MJY3c7>{I1denD3pF$esCUPBD>UKC{cDB$fvRxA^{%)fah% zJcy;JlyLtSnOS%L<;ykumlQf0D~SFtJEX^L4VuSYaa?bO`uWaGRP6{U;lnx5Xiq6dz?y1Gx0zuPY_A057#iNhU0W~Y!eh>6oL zeAfM!WzNYTmsk@4YU}TRzdm`i8JXKwf%bE!tmVd!xF0?YzzVaW;zeTpQoQd^9ym!x z`?_BGqL%-V=52J@v3>j2UPmXV805{vi<6+wY#M*(h{s|I-T1s7G%`i~>rdQbzo6HZ z?$A_zA@!`Lgt~?odZVZak+x3zj@H%~P-$$ZYIPon7Fdg%e&y$mRCNdX-!_S&5kTlA zsNj!(^ed5eMus@xu6^#!Lh5p@Il1ba7u{NoRn{R6rD;$GAWTF)8j!-%OK-3#B<#vD zWWQtX!aMq9Sw^kllaL>7vU<2I<_@A9Xy>5`Pzi?skU&M{0pQLfn?j%htUO%odMSnLV0e5oGP%E%R)xR2qp*19E=WF7LL>aO@N`nn9GqP6s!fvsh;qFok(A? zE2*f=--Z-3VdG{k>DXf?K)VI-R4r~F+NY+b2EY8$Alv~!xoOWcoNV`6S_*-fWOIv( z+#duk2DVFSO8o=0xRbMqJg~;C*0`Mkltm&>)LN$O$GDoY$?nP`BzU<=6}$F)dVx;s zaFsaE)=Hq6Akr#*eGY}~K>WEo3=m1N0Q7&tbQ*g< zoyrD=K%$K-BaVh*n-yUG3D39$>==Xb?_Wubtmm>_D3AQ|^{ZMjvR$lakXHwMkTK8% z=h4Y&0N8HJN!BaK^B|S5@7cb!K+XhuR6958YXr7~>{b8xG4ctd#00VZr}~Z)t~{__ z)5+jqQ`_`@l5=wpAml*V&xe1agBp8n!mo#L3Gs34#UAlbv z%|`9G5xHivwf?W?5`N$&NCBd?pxF-&4k87Sn=1rTY)01>UcR&I5gXcn-$~MHctkM^ zYZRH?OjkFzUO=ex26!>2TdDpKa7#-sJ@TsvF zGK9Dttcf6yx!II7)YlVH=7%ZS>_l|w6JhpUo}r)~N4%IZLWM|)=<`D6u{e1A!omkZ zXCZP{iUpN127aA@Qk=E3+ZWcuL7(RJaPfw3h+r|wW2rn@)0WqIG!FPr# z4AGq^9-wTcziDVq=IU>inOT3uPzK7yY>z5(eGL!R{$D?)q)mVEjWf4>&E=7b4-&uPk{tzd{O}8m5E-Vz6 zlJY<_3(1axMTsPS{tP^OpaEJ5j-6jLB%f;5%Si!8!N3^}4~d)RiveSOy}in5@24xV zwejM%kvLN)3=$x2CW}Eg;VlFa9VQ6G{-o#qhYu`p>GbsjGlVbQLofyIH6=aQdjlxM zbn+~}yC4xwu30^vPS6{O@GcWV`k7uZNR$T_fa@TUjA#yePvnZX?1%8reN^x}_Bsw( zExQ|sTwKn}xH%v`W@VL%B$BhUVaA4i{FSUOhYzC{xXR{x!rck$;RII9UO#w~sWY2d zk8mm;bU+%H0uB7Ha&o6zP-t zu9^O_;#4*ZP1t{jRMfwD<{ zZwy@n`t)2~ql1YfZf;OJqYc(#1ZhN6RL}PaU=!TnapV@hM~+0@dk4D~$YE+=uzAMy zY3g|<*`RJH^u50PC4y9e zoh^h{c+P=Pe~=Lw)CBc6xEdo%ilAKhR)Z}>Qup1DpFdMy?b}_Sw}RXEJRB4+uM(M5 zH3ZJKZL3506XBe02N^5$rEqX|t{!?+SNA@Wmn0THtHsIt_w#0RK8E;}?C%#G`TCWj zz_-V5x-TPc&a!qb;rac!8n}3rAO{DV)Il>{U0rw*xOxbrf&_+&pogc|iWs)&qJ=_c zW~LIO-GKv%m{&+7AO&Wl< z3R?kI1p>!2Ipi%{j>4iq)j`KCJX?zdOfH)T3bmjFyAkLVTQaN1W8&g|NvtD6rTB$R z{a-=9rs6wy2wO#XTXSrch_v+T?rS+Ygn+A%*EyiJ3kMFSec#R7H*Ty5gKv8_$G!*d zaVqY)EUWj0jsR7%wMJhRM3jg+awpp`!pDLJ#_2UPo7&bAGz>z|UAuOTFdj4Dhc)b% zDPFpGv2tueGVrn{aqw+C`=@`xTS)cdov9eR<5tFZwRrI(48OWXm z7--y-J%cflh@S77(i_@{VJF1n8XFsl$AM`^`R=wUoBZ!dlJc9K{L_F5jSc?f6UFX`o`6iO{j~}L|r-J}QEbmU! zAWgM5QoUc@eSIepAtCHkP|NIn6o4{nBkXMNQ}~aqx88jpA4hDbhRW5$BXv~BqBP$5 zJ5x0GSlQ%5L`Pia5dldAjPor;D&MLpiBym`lam3YjA)NYeMz|(R_60>Tu&H ziEWw{m=!BlT<$|M*CkwwJT5^Yj1VbJY~hw;Fk~@zG5wvmfV0nocnEkvvgDkpmWzWU zgF(D#xS1nmfIuxe3lhP5!?Uj&E=c9wyt(ox65Yor65}*Wa0;E6@X;^J&fY+Lu|m6y z7HlbwuxlPDpL*k$k6K2n0Z|G1LN)azP&+&?>MDTt(o~y?ZYcshsWZogY2~ zl|`i9Eh~GCOmPZiLHFrVf^+a4-$Rm;T4g{m2CtYxlq;Or&!I3(0~e9*a(eorw7k;N zivbcOu`73P5%D)N9TzZCH|(Q?6S9C1E$|!KG#S8c!nFri>%M)}rhARmZ(tcEFFca| z`YYEUCh#XV#vOh3Y(O>`JdfHJGWMR$E#%?hArsG=cXsFI&D~rPA00Sstes#6TrDAzy3{Q-v(m!#XFpb+^4$<3SheH1Y-iLnjgCb>}0*-qRr z{j&4t+5GI3DI&Uf=~9Bdu|PLN_uAE~U2E>+zWO?s6WEkpNn3kaojG7V_U9UKE0RU6 ztCk>F#LvT{eMv5%Fmzvld169BXktfOTX$#YIz;}&Zp^CDK(=9mdgkf~MbWqH8iWtm z-en%tmw+$Kw~t8t-1S97Y$Xsz`#BsR43~kyxhhMfeQO^*LL!Aj+$P*?d&T^p?CLU{ zCs3L;lbwoAo;8Ogd3g?lyrLqI@n8;%8qWaQ6QViK&2r1K=I`CF=B^Agd5D!&Q!={} zuJ9&S37NzsC4uA&rXd!J_Pk(iSubZ}k-i68b@;jzwscwxa6i0p*65=^C8ZBbA-0RK zhfEwC1Z<*-ij7TQWKXDb)xO`?9rCU>1YQ7?gKE9C7_15RmMz8U=?^XQL3ThzmXO)) zsEiG)ex8B=?w=UqAALZn$|bimNSn?gsQE4Q`epDA=#GYJB!RRCeW;f;6Cm%J$HdI6 zH{RFZPw1bZKX(E`b(t_1K`b9=L3x0+0Bytb1ftpxtE#qNk~6-R{%$jh=3--6z zCOFwiq~PXREdvfGWA8;sCqmzZbaJ7McUoS4ezf!UxymKm{5I@3g~}$g06HE)uN~XA zAq87#BnX{}E}=k?hmIUUZwOCN#@=$@+ZS1FIrOTSi27I0a@2U7rs)90NzMGoWsfDT z%`~Kl4WUbXkxcn}S6ioDiKT5rDHU=cIy&^13~}+}H-FOSUAGbTisp8^6R>{g4?Z}u z5wi$ix8v)JCr=0>R&xgW8fRkO78vG)CIf7ZxeHFr-wg;EGTr_dc_0vH4X@Cr1 zb}y2=YRIn3h^j$-0y>>OP2W+|7BJ)XzB>%$|89B#1LKzT*^5p_I6m6~$d#XG=ISAg zP1(!#Lfh0)oCk3~W>uMnmX<1U)e{$?6cnjMzzi_%3fs+)!r{ty{?pksAsHnkf`Ew+=}&Lt!uO+ljBgp6^_-Ak7^|2{yd5&;j0 zA+ixnq;V;@F-VSsSPTad*8yeiz&>t=4@YmdBfq0UWo4!HBPU6e&wn`#4Qe!NB<5S~ z(J%Y(!DeP_i;J@w&s@C7PEj;KqcIAF?E~=E@gfWU7MHU0XzE5}`*%4TylZ;*?JagyY|Qe}FF0|JywD&oE$!rQefH{=8D&$6yzr>8AkmJS za4M9>-}n&_V9T+F2JM(T$Q$7l%U$5YY&l{B+n}Yjly5#*x1Lj|pe*!IHiVe~kUC`M z;pPUFqYES06*UV*$tbw|6`6s`C#-B1>>5B?*F2np6_T`*4kQ`!`O~diPnMS}>KLTxc$R`G28st~7BtDPSQPuY^Uq-lmjPVx zAnW>DaFJ-2(fWRW0ppexcpA1wUlDf>PiNJDLSTOjHBs~E(bi(9iRvEYBX>iqLQDbn z4Kg;^A3O;43je0aZ2NeCdPZ8>Li*i@4~r5maLDCZ7@Q2QVL4@6&kkPXMT(E2O%XB3 zF0}sTYya6&E_5s=5KU`Rtu-53?UTusfU|HAu}EMo&@fh)qVo{&0%S)^A8ts zkw`md#U~KzBHMz38A3FYP_=^Sm0lM9mIB%!Q4kZoNu(YL*w6I`X`l?Y&fL@#Ag;y+ zGYfDpb8~b1iqVt!En-sydFrh2NmNgJcz~q_?RGbM2bp|oR-L07hx?b*>L%*jYT`I3 zz#AlCue>cYC~i^nZr_fSU0=s5<2(4*NFsJkJ8m`S>cP|vzqvBKsX2p#mcukQsihFF)CwY8m{^V*&0mM;BO1ru_0c2_G={-ZlK6T+jw;;g*9IKoQbdw#X3 zh^0+LO3DzrXjXz^Vq;T)sVbZHZW`|IM~O<7#W1uC3b&Ct*j!Mr>O@|Z{hxzd!w3M@BZ?>ooXJKIeg4jY zwt-rsH-=Ex*wg=-vt4)psWJF08oE_P-=SU9Z3+cYpuS z>EO8uP(2O-5fSzOkUefnMs*js3hXG^eez^)z7d>@rAwATx9SWFHvP#v&QxpehV|^r zNpN&@_~mmF#624Q6#r}8 zKj*OZX;7zn!sXeE7hXQW$N&D)o~Q=_{lmk1P%J@l3~|K~wFKSP624)?u74?pb@1iK zSjENa*Pv!-X{86Nn>hbU2>(uj&&h_*`4~r0N6Y?BiU-ijYVAn+^HL_b*;#sG|7B~h zBhKsUs?kIJzdfC*O(#*-_nyb`|0lyfTNxdBgMz=rn*aIB-INkf!W692z+G?++51G{ zz>6EVZ%e!Rg~41c*W4BlooRqo69z$X_=ubVcoSjuJAgvTSnZt+!N`luo zp>Tgmd5xDp{~X0aNgVg{*@B1y1`aGs>pg_d^ve%~v?0RB&(9An z8?^FlY)c{Zmyor@nr|k<7LAQnT7~lm_ywRaB5@G5jRLpK8hKx;7@wW3y(TTd)Ufd) zL|Dp?E0pioA3NxUjyUNg2v*crTIA`C=U0-NRM(idY}qpkzS}+_=}#}3`tc+CK+2!y z$_Kbq5AL|We$p}{08xk=7i|(m&O}IMVJxa@3^0D{KKvf?e<~Hu7d2+eXU>d~?e5*T zs0y6}KgzIo5*hJ)I4LC~<6BvoLNgC2EX^VmVDFqgG5At8a#GPJ`oJHQa#Hv%(f|63 zbj!aKy{wG)=k6}U)r`vl7Y(doOy5w#3Mdvd;#Bqg>?}xAV$yo3{6DnTNer(x{rs7t zZ0LzPnGh8}#cybY)(~S>ua906E?AhEd3=Nz#cXfSOHMwU5LpRfWMHvh^(jp|qFZFc zK-0lb1}Z9nI8S%4I$+8kgdV0QG2d2U`q8ZBQG7g~$D7=T_}dXoP*6d|y|nU&c7{lkmjLw8pD3o;E;eo~j0zw>0@S=7>m3Rzy!OflXAwngXX4x?$YBJ=L% zQLiA-Z!;Ivc?1;A)`WHx3d84*9uXr9Co@4p@7sreA&J+KL3Q5)W4G}M38j7Qt*t|t z*agHG^Z0*^r(MrYs_VGwZ8!60vSjz}9nYklZOB{_t6a>?2-5u)yLWpNTpl!Wjk1ZL zCOz2Y6_sKF{(gwYaKJ8X1<*=kkQ2hVKdOm$2??8MXnNi$(^Z;@f*kLe(wdN-x(fM% z{Q3V(Zy1*+B}6{LI5dQu!`@(%QLt^hgO_A5r#(Y!msEr8podhAFyTF#nsj1 zO5!FXG_24)5%TrUXGbhUU0F`9_4%QK53)feoc+C)7w!U2Kr?B&|NY>mraYevZrng( zRtf`#aPRJ20o{z(_)fU)2xNSGew{ykKprQM-a%t+iBCXaF6@;5fveHjN0WAl@$%l= zv7q=`0Zk0@5uXM=EkXV8fp>&9oWP#s0xLuT!$3L7cH)0RTVPj}n2w%DZCnErL2^h7 zWS38#z@qA?te4VOPR@>|rpsdCu-!vZOK=^BH~t5BfdO1B2J5o2o}R^Du7|lDt83TL zuRH)pUnTrEc%$e?uR=7?_gpEEf^g1Y??0&#db$e~(5rJ=-z-t3ZNoecgd;kSd(ON# z{0=NC_5Le{w_afwU-LiIJPpV*Hn!)Hk#&V`F^`Ma^}?!3nWy~AmxEY#0AL~G3{Oc# z#l5&}`wI#G^q$gGrD8va_k%}!xPhH!) zj+%k3D=3hWmHpY?9^QA10&)~Yc!}dUfPfLYxc2Ri(YX8<>{5ku1Zz6r;!F4fa@HJ-hgpc=5?&IU*gUMUw7c2H%=n1Ad=<^Uqu&xxIhSHL@72NWuHV8vd70GfqXq%AXORP7gJf>wo1AHRV)uhx0)`XsGJL_q7 zpY$^KfDkx%{by~!a1e;pQc1_`ivD@~&z<1-br$iH&lxHKOyrh)WuQ2E<`xi&CZ4A+ zUPyu5W>})Tj-Qbbwvl>2mmSVCQ$)bOS25_8xxcUPNob=OvN2u)o{Fvu{&e5`I8`z4 z6uF9@h98J_^jYCKcq0U}u&bj6=Q|7B;m;!>;$SG;{no8*Op;tc#xRwF&jf@7U_1grBk5%iZpXdgk-9NL zFF^p4=^)B5{=G-hRTMPcnOndmEV2*aGxa;;Y3z@%u`3a+qe};-%MpKxtLAXv-w_6$ z4qZ_Qt$?F}h{O-UeMTegaY2QF!S@(ob~wejySvNFmtdT<|7tXosMA<0el_3)puUi< z-+bxE$rYewWo4Ds1h#$P_AXO9N5}g(P!h?=DVQwfa@&3JJ)eYx3xpu7Tz7%7IMp<^_?pASl6ROv9bCC z4YfGLpMZc(y4jEB{OHW~NE4A56EeQhddkY1T%{}Wef3GNlBlq<)%`W**E}l%wgUN>ez3X0Zqni>(x`I9jY{?)_^IGaojy&|?&*JS z4<>Bg{dWa#m$di0YKveR7I6$o5rS=^TG}!u(7biSc_})G8G+OVjlXl zE#~%kPcqQ+Jg(7%m_|^i zgh=QVan6n!Nj2fS9Uz2oFj-~@kKUS0!KdE7N=2t1?~QP5*2Vdr{)eT( z|57}r<_HX+ijj#v7y%5^WBF5WLF+tBMD0+~*7hMenf_i1W<-x49z&~(m=|s6PGAeP zv=r;tw{nj?gM11s_v9HqLBU@)Fl}`XmN|L|c3oE4QAoibUR2vEz0EX3`vPGjV*0d` z08<1Y*49r?`Inwrl?g#5mY%N8MYUV%9qLOoP?9cJXCb_lUFaZMi~e=ku@9o5=?t{zlnSIZvWoB zSD;lps&UWM-r3m*>Wttjfb3^H{=~Zx;ZVZ2)l>G|87oX93F)w~)!{q@afttZd83YI z)28zimCOyN;iMbo{PQM|D*M&1w)^3;^X}b4-#dQiHl+^Nh6#n?70Z406wIGIjwpHa zw*OE$0RB2T@+}Wf>V|8O{S1-cG$I$Q#$AF~1XFZPx*3r2(=^yVKYG(1w*tp>zNpO# z4p=BTIrR}?AqKWUgHwTv%7pvRT zaRMdI+va0vpk_*;?9HF?vGc_1-H!uJ_}tk~ejW0ynk}Uj(qt55T1%uA%)M>&O2xrd z_>1~PAzm21l>)FrAB>b@ude^yY7)3dgaZK9s1Tvo#O*dQi3tnauBz2r4b({=<~81S z$lNYIf4UPom|$ES%sR@kjjhYiG4!P;X=z$XfN3p!rcRm|`3vS|7ep<@4xtPy9hU~O z6g{E;J=cyn+Y~2_H$=#Spu^$>`bfa{)sawDKu!7W`*#dOr?rEE0I7vRZK5o(e4tRu zLQ%izC@&<^5RDPQb=_yMrcLG9xw+5G%XXV0!8h;~*F9n?A;t&MZk2S4fCg#kMioAE z1}+0R+1YgvT0vSGRNd61+2&{g<04egS=Taj#ft}aWl%iH82%oIA`M~=c&h-E z$S;RdCPapk5)GfxM~D3k3P)uoH}Rn*Qs^#sD!)Wo>Oa1*^bj|T9w3TyR^vpY_5b&i z8VJo7(h8CvqAJqv<-^QyFuxe_8RbO@b*TnIMBK?CK{tB5D~eRor96! z30+8%E0H@>fTyGUe58Mt0n5EBP44w@7kP*H1(~4*K{k8V3iE7R6KOAr^d0gRCgG46 zFf$V(UP-ZP1`rL0H>G8oDMGY!6`mg^!Y*f^TsRD&7~6fE`PjP0A-lT3KjDAdQT(0h zcWKnCf3^tL90m~tX;sJEP;-e?mFF5#@o2{ZkU9)Zm zY56qf3_5OL#XnrJ zfeJc8gM-v4Z{MdiD+Y4ZDd?kIyW^di3qTF(GI-u0O`50S7}Nv1%k3(}({Q{!2~>=FXB< zepmV6mw-BZkD__8nJC~oK|a2CTp~2Ds9}J!?B0!{hC-)CSrN8thRDVe%b4?>eE*P- zsex}h8=Jqp8|uJ)*@{(V<~z#-EBM{)?WY06EXlo_4Vj!Ro+&p;M`+BL0vK}% z;usuC97rpE48@+Y3JeH9xj`TXsFF4yCf;9wQ_P1x07bnN!3 z(rW^(IEXPw(E4cP>$je9u!kTKmHgsL7p<=aEhLWF$%Ut9kDpgirm%&hF8h3`{-CvY%t z+GhHBulnu+6Z4v@A~qel__Kik-|PpRCCq{N3MIm$K417CKwcy#XLQ^l0AP%8FM1#g z8=LG40gJQGF{} z>79EtQ}%r0{*#}+Ghwf{fWW)Fk;)rJwwSN}Tv?ZHZ{H}#)6fsC8TJ({sVSY)VFzxDkI8=g zHQFULacfU%mh@pULv7w~YlvRw7g$Ap+wJLy8n_1AmZ4@kTKP=LvqyH{=T zF)>OI@$g~vx#e#dn0o#khwn_JrvEt`cs~Gfbg9$S)WrJ&QiTd|YU)F`7w!6+0Y)+M z8);}HSH?0?>HT@~V-dU_ckZxh(eKESyEQD`h38O|O-VD{Je<209W>Rqdxa?C|d9dK>oUUp?;rxo+N(-Ok2b=c7r$YG}d9Lne%2L{)ay;Lt|9Y#~!cX#SLWnb6yhn3wgUZk4jJ0NJjoL(si#$7s^LvMB4h5|HBKHPG?`}xj`|go{ zoH(qB$!*+d<`_>nLqZ+_ogbvWX`?{PA>4vo)g^&>SqIS#I%1a}&%RsBn~42y|`w95LjQrf)GoX%V1BVDVqucYX6lR7hURwDOp6Ot1;y6ZIQ*(vJ3 z$<;SGvs`GWaO~T3n>qTh!nL{E0pgPxD?^fGcgx{>I(z%K-yog&SX%d}VYjHL{lKTE z(`if%MI}dxGDe}IS@%&y#KB$5;+RP}bNci!3IGonFe;xtJKz^cMZ==RX?G=4^3b8j zU1Lg$R4iMzI5eEtUh^QrkMw0}FiP&)w>^>`LqTl$ndMb2;=A`}nJwKkmzn!EHL zn3bzPGtN!Exja`p@yqWpMdF{6Mzk_Rkt~ssMl~DwIlQV3d zko`E)w*!aanR@5uEnK@ecC)MhdyKIIW^|DI@$<~tQvQ0+n=_7j3k>m&`#vTuEw^k9 zDbnw7b8r!qdeONkE|*@zF69-W8|)&H*1d1cVEfG_ni$Mj!@VT~S;8 zsji`Ja+&V7O-xN4B=fO6oIfU#@20S4KF? zo^QMn>Z$g?D)6deI!Yco1@qII7q5(u%ncr0DVocpYSQ>d&hQxQnK4{`HT<#tae#6g z%}E|Wm?$F~e@5_@FsTpl3ypV9j=f0rU{mX&y79qera8Es`?K}<{LElj-`8pc=c`1m ztAUBem|c*c*L?o`Wb+yez=%eyEa1$_gIE-vCz4-dG_a7vcOT5BXz1yWU=j{x_a@s>Tv3*$fbk39MIhIOT;*AM1Gk_qdcM5J1m&<`Z@xn#H8>HGavSQ|rkxNdDt$DPk`n$3j6JWM;NBVQUSD#GvX< z85D7`@I&-FM}vR(Yz}@4y#}0^|M(s*1BWvJVF!o=Ox_=JyZ~^DvhGr<67q3?wt>%W zq`n9#8ZsMNPcs1&XHpoQV!P-wB0v)ybU@d`u%$D^U}Y_eLe^2@G4bn4#8k9jax-t` z!2{#9fiD4&ozbCs>(WWAViF~-U>g7s~UFE zP}gl>nbvS^=nUyBSusqdYc0Fyhu)#l7bh#s6CrbHF>p4(rx$3~aB>o}vBXv%d~jx| z6WFz}ve*|=Ke?24smv#*%VUK*FcU)nM8V5&lel7)-)K|yNkf&7I!90EGTah94teb|?8opBL89yrJ69vm8`HJR2EM7QX67^W&T%@;8+?3fl1H?Rjk{@u@@=sj zwbowlS+sRWt_VDpL+4=EID*CYxyvJomv8dni2C~Yd@7AO0flrC7OSWT73`^PW|W6j z&B zm8*@UCYr;H{F#-o$- z?bo42tjS3K_cL5FKYjI#zKx3Wf{ZF6u#Veo)4ST`2;bC2TfIKVoHyE<)OT0OBDWcU zp{-5V3SlYqN>mf9BV|`7%TkL-%UJ(#G0UQ9|6J6-;Gp>7!$Yfgxfx{_yQ39+AwqMkA*r@s%V(%2aO zy)r({@e=~*R{U#gt{Xa6A?X?y)gNdaKmiz$Gga`*(Yf+hf7HCr0XlEEy<;8w(fL-> zjE?#_>=Id=>;Va&+w6-GS2M>>$CjFDHkH$-KVWkU&@!_&*GezQ>;uX5mrPrBY4;C+QrLXH_dcr-&BO$@mG1`7`jaqI8R2T;!77pH35L&vToS9pSox!E@)^R`k~rP6cGQNRLu!z zce5j)=YWP1f#~(?c)#7Fl6z3p0wSi{0B8x?3HS{isD~v{zeS7&v~@lTbgKKnB@j#= z(|>;&zTba7&AIvmx^_P^e2sERz6unwI%$2E7u07I>V*tFY|NBDzK%IGCQw2Z!YP^I zG=5Q+w2#|;wgG#FO-+=l#5sxN`|_r_zo+dfZG#(~TH^Xh)OVhilfsS|k(*t{lO^wu zljIdv{Y{S@JNEYJc%~{WVH+D8!K0zq?;|_PVhI92KW&T2j`k?Jx0!n&ylg+PYgZ4q z+%5tbVZX5Jz{uS$&xWsGZ$I)2Z^vF^^Cu45dMYok8{#G63Nz8{(pIL#;UPGTZs#%S62 zm?OJS?Z+L|ZWEqw5y}+5ZH|hguQJ7aac~tWVl(TxZr1XLe)juz(FZGYhUadp_|#mV zAf*!N(o2(dRl~@L+~dnl!ifd4!<_MRcfc;OV2-oO%Is=%Md?zc#KN?_&AyMHRFxFV zlqx;AeNmC7v{RmPY1PzCP+1<60dt|5A`a>$kDWtbZp@Z5mR@_OvrV4^lP}Rs760qg z3knNw&Xg>6$c>AuGD(ML>*1f^plmQSo)KvW^kxTHyAZawmG@cqEX>cFL?MRkh3)mt zn>9^}aW)tXAq3r02n&C`#HtBt>fiXOWC@QpGfhKF)p~c;RFVUwY^p)g%FxrO)vxXo zERy$k$TK|*tXq^b0URUjU794iXAcw&ypaDd8W?PaOEah^C;ruMy*0*rIXieL_`c7B+<0&2EycJ~(Sfn(S$u+c>gsPXPbTTVXylfi{i=YLZ>(#J*TGnlF;DKc(GG+Kz7532pxgDO=|6Zv zj%GMd7;08?*yOIuN+%Cyd5gcwq%>VfOfCHA$+OX3fl0&YxA%%)IcasKp4)Sk$&C&j z?q=Znm_SPJr0w@v{OCBE_Pw#-m{0snw!QBspBQ+X_`Xc%Ppi{VmAOaw-bQO5t0~o( z4b`(r9|tyI=-4!=Ad2wDeDtk3GAk!bj?2+LW?ef^VMyI4#%{mW? z6SNX-J)1V6oXJaYp^#EZ+p#4F`CQYn0Lg>XO$n2Ms^vn3izZL1!figD?%bfMNvCLi z@JQ}TJh`)|AMy+63f3N1mug!mY*Fg}Xe{g9_0pBb*Jf2c8sl87WR?vD+It--MTf% z8;_N7B3o_Pu0L7Has3u)X%O!|JAjcYJ4jAvVIzm`b=u0y-B6n0|UobxzJlOh}f!&_4)k|w9BxcdrGi*#S?4{`T;AF@N*r_=8Uv5C$~ zSW=R$DAAly+IZk-bcJxq1mp#E!D~OwoXdSyT~C1#Q@Xv{zw;(!+kJC+{Ln=8o{>_y z}jE`nWvEcpe4^DFX{ek)h?C^-C>j3#&1dafOm&c8cuP82NkI;o#lD`((3>PKOe{L1Xg72=wv=1(gd8ymxf z9bswy^P&1y<+g76A%UgdK%umEBr;zVGInX8)s(a{wS9Y$CmHwpPB;)4rSkNu&8Jnv zW(;=uB?RaB8wBLtj>&OfaoVy9qCV?5Mw6VFHnGoBIEl`e`Eq-pl$SGf>A7dI5c9J4 z;vVlr+wTiqp5*1Z(WWj2x!2`&%seHgu6rYR{kI!tO&3g1H^wl1Na}KbKR4Av5g4X? zB@QCN(Rw*@xrm?L_D>rt>ClVt?G4knuhB7bzsJLLa;nq0>%Q{65`U=>XT((PmEpK3 z;n3nNi2#vEbv>v*;We8CgbUEOM?4+vr;i_}Ezm+78t3ykvGSAiynvJ@|)x+vTube(MWw z&Rnt5cq-6wxKcg)`r`2fR*jxt4-RSJh%BtnG7iCf^h<4cZ2PMBNWHBS*xW%8_ z0XTM|i0pyghxIZGoTN?d@_VrzvO-m_rb6YAg~0ry1ChC#QkCOtP~|)v`M?I;lI@@a zYCQ9=sg*o^mp}kK2SIb*cTUANIPB3Q5YYmoY>gn@2*YA&4meMoAl&=75Ql`#PNZSb z*)$)T(DmPN92Ji=3BoJX3z!U0pln z9Gdj=W6_P7y4I&U_ztwGlvo71hPNxbJQRy_3*$kly#`o{wu0gV*PsCb&7mnl3t?<` zb4g<@q#1&Ozwsg#aWB#s3{N0TxYr)ci5DNDZqxPRAga$CtaU_5m$jke{fNNnGiPog zQ9bx(;M{pHF{NPs2V8GW)z{i(x>M&Ty2uDIh#3XqKVAC#>!fV+F=t54<`TF zFI2Q@-yyU*jr++hyIX*;B@CD(+DroOtY!v;j=qsmFN3^t}$KYijmSOn4#)k`b09-hxw} z6aZP|-g9p|LZ3LN!y?O*?VOz#xOLW%lq-7nMDPMsMSEA`WXm$bh!M6f*U@An&owQX z-4d-)_*l4eJ1$dJY~}|RCNo{lBN0#S5Q?5}YrHR7sl^>95Gj5ts8>YATT)LvL4sl- zHtY-)F8$(oa#qc9enLQA^m_gjmGUz3Bb;Xf^KLUc&o${xwC7CVC+ghi!R%R8@Qw@n z4jkAt`bsI7IhZE@qDCb(fo?L`E}`B*Q%0- z?8!Y&LMt9dRdGdTh4T^D2cLU9fWE@EJGNusLeUa!83kvj#BmWtU9hCVCC{EcOHBE= ziDJ)@*AO;JyG(YY{=RR@(qi)9iuAQA1jlaN?aK6!`+d%h+Zqi!UjA6mwZ)3X(~n0G z!F<#>h%){@(s}QsbY(z%&IQG(l3dyWTBgx#>d|*`k;fTwEx~ccKTr6wVM7tvqNhAo z+$ZQ3)-P<(iRQCzOV6I)e}aZ=|Es|L8E>5POm+Rg>O{ zVV*sf#N_$lk2Pv;1!B0Cdpm75%rR4C>xh!pj<|BMvh;Hc3r6WC8?tYHKP!HTDcic; zslWQ6<7jh_(!-!-rJ#}v8D=#|N>fN?KtmHxVMP+!WA7D{QGpN0i0M;L`E?RP&ZSSG zOkM6S@g6ZSZqoIV`QF^@^OC6~e-^iNX{KI|g@uJlz7Ch?0(IMNnYo8b=o6hFOlDWz>0xezuN~OT%c57F{njKcDBsR6639g1ZZi%f()`A0KX*L%e#x z{~KKWV}}voDmO{IoZ7ct-*#Ou1;ZN_$57)e1g0In`x0K>O~MFHvkvwC;APzGIn-7o zU5ocN`HMCo&1@JS&*@TX(@fseI*pLVutVzZt#fm^vTy2`j}5e8XK`GVN5ZzJqzGP! zdg6suk51hk?^;{uIfrXPLO@G+c+N4jJ2h>gaZ`LH;4%^}wbo_5A`cnu+|}vY^oLBT znt#y-l;e+Pznx^04&G`#%#j?CcX{IDrR##aD`nAuLHj$7Oov%Bc8$R*&k8tpRe`L1!96 zb&@aMJ1CSnpJaS&Ze^mVXz5pYwOVpV)QG^l#BA*#MAtOUdh{7PcVo0+fE1je~6#fNjh6jMQqc_~wCy3!=N{*&g9)P;8lUITeffaM1IV38ZV`!3q%dlnSb*JR&m@;wPZ6hM>hV9 zoI2fR9(9R!L_s+mMdt6eOaOr=It7gnEF$d|PE~SP+(Qb#B<+`2QQ|ff?K|n)njxSE zwH#MNA^kpK;Yq9uEwk3r(Mb%aN=p6xFeD^oM4-fDh}=_x{xg_M26G9_S$AVZ3?)GKdfAmR6oFt=leJlO37pydr|vhMcTSwO9j>{* zR@`f|xi4m|72h^7iK{)*KJV-~Z#mp9z20b1`O_9bg+^VksEqup>KJNaD8RaH{kD4R zoK7E}Wn3EEI9BxxS<+%3GD-r7cTay5ji(`PLzPzOwqUbGiAEO~SNF4uhk;$7$0l>K z#Ta_M1wp-^Xi7*(jhpB8Y|>;I60ae`U$f(khK_X7k)T+ZhesJ3dpg z9ChL%)o(A-@=TMyVp_Cb0?jL;TY`XI0q!W@e(|nbnNN!NQ_I%{@@%2rn?h6!D6-OB z5JL&UV1oJuc}c0$<~4v~)lM|&jC98nq9dO#@yAidDGVsGv!=xV)+3S^0gD)d?yDa3 z;jnS}_1s*|deYZ^uKVcaHL;iL;^dDHD84I6{6|?TdlfB%No~RkWscv=m6k*j*R4r; z{lGh%O4`m{?#^T(?z?@`Dut`lD(yQc^UrtJ6Ls2Zu#`7Pg@K07ei+TO%0S3MWvYmN zX>IlVr%-K!j9*?lawBBNlospG7RQA?-r9P4)m8FAOGQwbAi^$*J{OM464UX6fT`y3 zzS<_L0hr3KOY6AAA6Vg4vPbCyYwz@m^3`~BWtdrh@#PnkwMRz@j`k|gH(f7(>*?MA zF#l2$1B}a2Q7)bHYcdNmTHv+(`ZaZ*o-+S)#cr7U&pj#_KUEP*@$2A<&bUObVd7<{ zkFWGoetaxi>x&Zo*~+{aGq1aWIA6pynIrGfiYQpc&h=XtXV6ojnPo)Fs)3#yh6x9A zIx>KkhM;;*$@@J5hl~67D>~>rm4w2!pJR)(g~gg zMAeML*jx9>8b8F7ywU~meY9e`(JZ8306q-XlD&#fq(w)|ABg4)BV@Rp>Fj{B#p-en&=&1pVW5M5sQF~<`}6qvk;c31dh2|7XbMEY+J z0Pc~Ey%W4&%UP|noBN^L9-sDCG(&RwJNYkM81aN zlzKxyTBX8?!WCgI>C@)$u-a+ShhdM097<}7EL)CgKK(uv zMs)FMmpjf{Vb~EeR>^psee6FI>zKFLj+KE5T<6U{_I_OiZ zlt2aH++kNmP>Z+;-P@aHrf_BBJ=33tH|pD#Y#3ogS2~ZXtF4g9bkbvW>f~zA?S(bm ztB|XM0@$4^<1)EZ`*HY~`O@@&><>v55;m466lpbjlEuZu5-RWw*R7Ip^{qN`nL^h8 z9tNw`=$q$C2v7^KE^ZO|^xc8gnJT-?tPQ9e$>O~;(Tl*Gvpt~G!W9Ko@LRqJe91r75TAtrK1u2p+M;Qw|b@K5l&)H%?s`1 zJA3N-Br=wfr;ONDIA&>yg~-gaeoKsxFPs!nQDz=}l@N{ra-m#;Gk z*grmsm9ke!-BU|8~4;mTA~ z)NgjR3@Ux$??=f`zudRHu5wX7SjTC}ZTAjBin+OT%T|_R#B~U+v6SR=<15rCs0FO7 z_p&BlW4Gte+kO8i zjRd$n)W@Cezl9KPcsqp78f0_VuGtt>HB)T2lC$l65Xo%ZSywiAt02x}CPba1h%{Jl zIsRSO9uLMX?UV#Nm^10?Tk4M|F1ZLeVDq%9d>N{1@w1=H}&X92rW{0p@8M@Ck z;SL-mxaVX&zn~!fbdw6{iTq4Yvd7$qVH9pFXprLGzWp?Q&1#}0%E=rM$SwQHZh1#9 z=WxtTv;!viV&t)OIc$!@vtRqjNb`7$?s`?3xh+mR=Ii-W^SxH$Wl0SbP?l}vR8#2C zH7PK&k<%u1%GPF6gjvf;y!!F-=LYX={_L@F(pb)_cn;mF_!?=uv_oh-$sc9fEIE|A z_=%yrpcjwM2{j9~^J#m7^ZNS>H43BRGbzQaf81@N8oPy*e>~k|%@svO8oq3pk;ezm zFXeYUhrU8yf{IKjJEy~*ws~0S(4iT;1_G%*H=Lvb6#hZa&jL3Lmo@JGEub`$D~&ZT znrSGLW9s5hyzw;0Ia6sI{B-KH0qv<_9NkjG^X3XmEp?AbdE4E#YSFG(7n_P$J)n?Q z38D-cMj9eM75}1#=V0g>K9x)7W_QWDBhm~hi_;;z6Qs>YyA{u_3C#}+d_eeOWx@-QkY_qRfe2e4yqu_=e7v*R$;#8dWW)AXw<17=9`I%rNjTAQ)-jm(kK#8-Q{1M* zWwo1yD9#!OF#-lCauqFMsqK5rtesFWaKlA#xmNj>s$;VkYuKNH%mvPjUJBUzVWE?1 zG}ka+BF+L0OShbAkzvMa{@XY`}hKNRC?F}DmyqpB@?c?d56Uibz=3)aiM4}Nl8rZxRCd22hPVbRJNx%6C*g$Dk@F1?(a&Ywp0 zRwL!6sy#mw{^!L$Qsd>6uP8%vCD(Lw_gX5hq@op$95yTDJosvV%wjXv1FImm5w zNJOMzzKO94B?xVi| zK^vtV{|1Fl*Lc^_k^#N>h&}}_JO)VQdi_jMB z1&K=f>(`3bH*h5;@@E)G`T%W|zf*JHy4^QRNLvE~%Qk_TjNb#u3}6I7qLrCI54CM& zW?{i|ISJFe!YP0VYzy)HrjU4_>tndHw5BpIbbOCo^-$=GU=79n$PY4Sv8 zUd#Nt$s(svKUwWI><IZIzt6FUFns6bJ#vL0h6NlO!+ypkCe zCL-ZqfT$6r;x=NhLZRt;J&gJ8iXlXoXB{p=Q44}NR9AI9Mkbjg+1>CgCeSGBx-b2J zoHx^{)`((nviAr5xi*_xZ}P#hi(H&b=njE+up@McPSO<0FWi#1KPliXP|(s;O`qCT|irEOmss$)CEx# zA$X>v&&=9xbZZJ%Kh2%%YkPa*IX!!jK_)vc6u8c{UoR>!tzxiJE(i&sIhbu*Cplfo0C`4Pio!DgQW@3U2723D=BF`PD+6&*4R08fRmjhs z=*j_z#V$J&ahNl3Bx(g)Rna5YBKd&&)*9*BZX05&hte+#{3W;5>V5H_#fdz>kL-;( z)t6qy6&N(OGBQ=-5V~`nRSzo7@-8uP@jen)m+tgXY)G#Xt`>X8-EnW0Gd6aqQx~95 z;cs)jxFLcyvW~gq?(W*yJ7!ijOfgv=xg>b{K#1@Ye>ClpkrHZd#r?XizeX#x2E%0h zKtJl7;91RVWOg+=bz^mPyU|mOIizZyknZc&=yv%#?zykbUm7&t;27!!B=qaIZ_~IZ zeS%<;DROBUMg@Hi=eix17Tm&RNs=pHk_-0@uVopGLG8@RnUC@$h)pdo zDQl#z3T-IBXV4a9S*+4M3t+UipBw^fRRj=-^H;)IZO716{H%moP--XRU0OFbYx0O} zsMvgj(vjlnIvts*au$gZPtaF*gj4^7multCLCS;?j4k4;G(OgTR_~85oySl?bo42T z0VZ$GCmM}|z|#_Lq`U+M#3wZs)A;YIoI{F}1}c2}HR#cZ>JwEoV9?Z8mB#<*ng~%*<>4Ie+BB zD5)+bg13j}^ks9S#v5H4mN{cP)H2S^*+bobIH}-BVoF77*YE*F%4>_XW@22m z3er@OI4}j}{L|e%ym}7@8jcYws$eO}%J-?%ZckrBQIv?iVd1S0uKQRN&YrP?v6zT9 zBwLtus@ix6Qf2HsY~~Vl`5~mAYYUURhGz0Tj)$g`@88{(|Kp8jBWY^!{m)ni3o|nY z81}ec`OglR)0LmG{;Ka%eH(uJB|DloA8~_nUK@$KmVkJw6i)5qaaqN8%P8NiAa%i%~*kK2P(Liz;0LuB2SX zeZfU9?aWWZavbuyD3@M;(se)6Y$F4MHB4{b0tAcn(hTyRgo3VU`V;@NM?F6<^g<{i zaV}1-62J|fo+I+wQ%UoC||kq3uh`WI}LQF zRS!;*j@~hLe(j{<<;6ttWZUn+QS--V>d+k1j4sGAO8%;pb{cbmvS2C)9Ui2IW%m=B zADc(sqzZg?Ea8Yqfuc#2`#jq>kG}ijk?!+tfJsLnpviC-y;JmY{)gp5R?(_W7wB_H zUlka8&h`9&%>cNS^7*Oc4Eq6PO6&VVC~*ncEA*h=WDXu`=lq`E0@}GfK4kJKD84TZ zb~E(;HVxocA8j)V=9Coej*Vp!r;FfC5N!Q-NtJJ%utR9~qYrCWr$Q+@^%(U(_H}5i8+G1jILGun>uUJ-Uzhs8io%Uajv>d&1Pl3@lZe*xb z3xoq9KY%D9c#(ic5z4{f#TS*@`6km7^_|uQjKkUK%ON6IggbXS>gef(A6UOhnN2L% z+N2LJTR4C!p%-m~x|FT8l2Ro~tMm;|EC1os&@sIEW;t~Y`DOdP#Kz^}D`(HrXFCD9 z>r2Hjp_&YVcR3cmnVzBx<^gq<^`8VdlR(tfb3KEhg$771AnM>M@8}w|SDXDOwno6X{ZaI2BK~rQQqA-eA3Y#W-5J zVIW9a#n!gxtA@eVwOzrYUM6ogb)tR_{1h9kNat%)FsEJKv@W=;OIrc7hPp`74@pC^mOG{2jE z<0FOnHoiE%?bVyB1X51ez-ncVp<=W5;Zg1Fj!sUy74!<$)1}xhh+DPZK4_}x!%0vI zBiq+?%%W@+;mm4&U8S~c8>V&oWcu-^*%9hA&fGeeR`BXBVC`nLB0c-Vt=U1>j+6I( z0O&imyPaS3_Xg4Q&XZPguU;7g=8h-xG+m^29Tj-!8vU=KAj1)q)RZR`FE@$hbS@Wb zMNJrbR_?3Q3>(d!DC*7%3DZwIAQ)F%r=?r6dhAfV%=#(jV}d0{ zaYKY`SU1Ip{b(*p({L1=_uUkvHz8*(M=v!Ykggp_R*m_yP|Ly`4HXupmdtEZ<;Y(& z@woHudv_K&;@>T9+`_t{U8HmWZBm$+AUt1oi%rhX95lU_p1;0$jIgkcg+)S2iqZf) zGlSr-@&h zo{cx9v>sD?>$v%-sHshV%}0?}tLAf_NzciVU{YYECjoncv<>b13U43xe{^Z(MrK=( zy{VfDZJUW`GkHe}04XcVGS`j`R)fHlv7h&RRJ93%|A{?G&58y}CKuTBD(6*{mDR%R zMuFT}Y&aI#T6mF~%|rtw@<;+Uxqd!J@I>3T>Ic4B-si!Kk#z9@xhnT^6WF(E4;hIx zbygX8qto#hyyyUR1-GO<<$_M=+&X8)9qIG20bc+54LS_bshazLG_#SskTtH>61t{y zog7B)G|KBUUa68BD9Yk-=(Ecj>JK~gTR@UVlaBMGL;&oCR*F3Dd)@B6Ez!N*pMin2 zO+kEh7sDhe%4R+edf^k7fZNOcl~NpRp=VIul%4A1!>60OJ>gt$Gsa0(NhJzoy|Axc z(X5fTHWdFZMbsB}W{>jUt^ADhCNEmB!2M4@HBTv$=9z zYJWcVlx9s?1A+B4Kkv}|K*=2G2NA68?XyjqJo(lqly)aPdGh4DjcYNhlJ%-0w^^_5 zovmtxR^oR)z1m$>@1~yHcvJD8xhgTr{Qs=cZ2v*3f9$7TNs}@AZYnvDw3E^S(bOMM(>Ad$WWQp zUQCv7ZZ!(_-rwr&iBfRE0JuGLAaUvx>DLExqPb_m8pPji z|1ZnV%_7gwJmWm5m;Ko!z5AY4jQRhuK=41lmJSyv=^f2!ejTCN5UAJO>1WNZFqvLv9R z%s%dbCP!(;sJVfOChoCKZg!iE)@)ZRA|rUq=y;w!^B|wv1W%?GT~!GOd;pO9VM5X> zV@ky9uEP|P5&k$U>5SR-g4!JJkG+(!S+s>qnM-|9kExc{j3@-1ehWnR9De0aOzJy^>5nK0yJ$ci2p@c;7Z;9C7XbD5=)+pb6Y!z_!szPogeOP<|vCz{;B z7|jCm7J8}`AlgwmuAu&YLTH8;WQSreQ75%-Y$1el-*)(&pM_Z@-BP#){JQPosyD3^*t-4jNIp*j)+xmB-%Df+wNk3vN69~EK>{S(SR9e`Et3&1A-#E1>)pY zVWOhRLJTm@$i>ehLV05u#Hdc7P$5wpPGq|FKRlTx-$cG+P6Czbb+8EJHNI?d7Qqty zio@iA1#KG0d`hA<0nTcWJOlodM`3J`<9a?Z;MAO17~I!$%<<8{cPNZ^?ZYxj3-Q0J zfdR}F9~xXV z0BSFATR?wv3&FUr>16YYIIF!eCj{!jr{COFx_Ir{FzUS=i>3p*ByraLm+Y4T=S1~W zd@n9O_Bqu~9CI|Sy7qhb=+N&bMu5}TF8pj(IHJe6YCcM`bmHQgU&WFeW5rAr)>>vLX>ZZZ+yC?+0rw){ zrp7l*J+>ENR@YCucS&Y2S1-7iDaeg(WIx<0J{%2;GPCL*yJ@;B2Uiv0$E~z(mNDjy zdrU4v!98L*J%|t-U9=+9nFgR!g$^%3u4$}|P1`@~RcxZw>6vWuG@OfKCbVuC{CS#OzUw?0z zyx;1!>&OdW>!k+`K!d`O<*|NSX#_GS&~hL|-|Bc30K9*}!nIwt9vu6)i$LwE{vVK6 z!gp#WfdHYf=-9%-BIgmHQZHUqi0^|iXB?qy0aJr?A9g<*jo|`qyEOy0O`x+u12Z?E z=kUlUPzl0oR8+bU3qvtNJL+YGu{)z*abE^=Apk6(R!K}$-vUb=yu1B>--p;jX99_o zAkc--IvYr`Ea>I=dO62s;QIxLO^D;u3u?9hCc_r>|K`mi8MDDsbF2VrCk!bx&y>CQ z6qT$xC>n1RDy%sP_K&OHHV4by6~61cWQUANZSqppUFs!KO<$^nksYNUQPUg?tg3g{wxh!c`?F$3bj z>Q&?dG;k}5aWAo0o6-7?vQ@nr7o#80oY;-b`iuzQH+bXH9R-$>DPR)40GS3`X23^) z;La+zKr46mgczT+@9H8Vku(!Olf?P#*5j@5+5tPl@1vMCuo`;G9HwoJCuO|I;~E8> zBmu_z_y7jmF|E^$L*V&_dU{y2BPbYQv4hOzsP3rcpwjfEwd&>LwL|P35y?1^aa~8! zA5eL3m6?8PaaX^E_*Gc0Rerjwla`(iEh6p3i)LJGtSaCcyK@IO4`Ng?UfOYsyomR& zKb4fA9}&p`KNiPtbe)yQ77NMs^mILRw2X}KVyps4Wm8v976!pWI!0b8S#oM;+nYfz zsSc6E8?8AxyrGa{$_DejKcc?}%8Cw%SokDJ#g6%tQ6T%5a-Q!&*ixB?^*~2VLof3H zOAevCB_Le}F%+Qn%CfDxCDt^qljd;-Tpd2a%Aiaf0h|YM^t4WRNxlT}{S>_5j~_hv z%tqFyD|*q3S2?_nFk3TvDg?v*D`clME zlvnX|oH4HUZ`Ui`IRX8FW5@NJD@M7MTOTru>yw9`y%Tua-quzhPf_gC@hDOqBvWjME4_6z-kObNVDon#pf0GD1`{z>z5pZw;+JJcZ zHj+5w!?QwH?um;Ku)~U z%$XAuTCHyv82<0>d+QEN8fJUx>Fd8dN@ljGT;vtR30~r@=X`z`8MU^fSISuJd{~c; z@KJraEir-1ER(nh=jQVS6vll3%%woE1DzgTRt6IsYPmO0EQzm!xXw=E}C3Pj%$IR z;j|lBeLj-GU1$K^F$<)hfLUb+aVlk>LNdAaLEvDJY4vcX*#>&cJ(W>0{1e z2LE-24YtCZ&qkyN5W%9ct=81sY;p!cf7$i` zR2qBM!FP#fl&lzH?DLGUOb@QOtfa*mX8pbb>N}#`s;WZ}L;#bc`e{3W2evHz1puBH00Ni5o%TvG@Y_%M$G)d3-}8jF7U;cBtUaILM?KAkI_|77C>ov!77i z`(gl78b{NBVNHmeNm__GTZyjmNFieH6?E1J) z96kYuVI7^%Ei%J)P$-Rp?shN)zK#Kr!shQF8Acq+){C#-bIsb9PC0=VbvB_ily5ea z+Z%rB&LVis1#%B(qSgHT{V79XrO?qvq#_gKH6hG6$U&?{f^~NQtlxt^U~Qy?v_`oi1;OM;wFz{O7t-KF8t%G|%q}S4I=jxq*KcKhBS_ zwX&3P`4>iJ%Kzg_L-Abx_95M;f2Sb_6B=8 zjPyx}Zw%)83ivP3s*tyebOp#;7kVYR9KchgX+>%g1TZdgFvI;q{(sPq4?yb!537ME zVnNAGf?Et>3#ASdCjbU!`LqFr;{j!8t$g}zf3~(6iC(GgKESd4gY9sPIZuz*e1JmT zg(n*EtO36HrP81&at^-gOwExRPf=R6?I+QTiJaxz$S;L{-jO#mWebUgg z!z;tp(Ha^N(VFW6Qo2QjVcp-87Tt+226Qb+Pm~Ac$ao<8DlH9i8sy2C`gou#u2#RU zSDFJk8vm_gd!`hh1s2nLBQ9>qyKUDElx^LZtY7XVy=uF?oI zPasOW&?{V}qGOJD>Dq9Ei$BOC>b&@|seXK)sCVyPRrGf!Net#2<#UxHWWvY@=yq^C znS`nkj??f>Gt97^SkSjzSGI*o0q7P%BT7b`Aaut(7*%t5CQF*M9@xLS``` zI_^wuf8n_`$E#ulrzn-S0)~l-s}w%5MbHTsFe)h(JNh{H=A7#VAHqH#K1DT&$T{+9JvgSO4f_K}5qWUMn?pd9y<%go+NXO4N501HbL0cKHaZ?Or7(kb^Y4bjQsG+d|ui}L3sNFXc(3yQZH(CJ^N&RfAETum3 zGUdd}nUH<}Z8y!RMs^a>K+^&9%XM54@G3RhV=%cHf7_-LyuM}j;|DOq zW_BXC!SO0YB24Y`MsQLl;TQ&WTKt6_4j#|56}s0OS zAf;H~d@_6Ztg z##Z!^V`uf!P;6C%fdil6$|xCIa_zCzW*K3s^pWs-xLue?^1%Od-cP!zwj&q!2L?n( z1yH~hMwPB8HE16;OdR&E_4DCn_ZVM?yWwg2FZYgdwmWK!u{Fy_%yl5oOnXJT)R5;D zC`K-hTJcS8DL~%bzgzUL6>4*M8TdM;?2qxv?xB|bxKCGiV=3+^bfRn09{XsoT;`Mb zgOOd_tp4)!yZ;@0c%4hURs;=u5N!y&MGz|~Zv(k=Kq{qnqYG_^F>runpg#s`5l=PC zX%oyipr8QOUp<#<@9vnoqoX6-8W`(dyx5167`Vb7V&fDBQc~}w+_D3ot9ieIAw4xL zG!#}Z>VaM|%&VGSY|#ub)jAUd zZs**n56@L?LG4h_PQur+x3Ve+U=UGe=jxTQWy31h5@v`m*tj~Dcg#M%@lN1m5kRd* zg@SM0RD@;D3w`juzF-NR|Dx``(auIlz5qn-MMDZfA_%^pC84IIR5mE3^3Gy=aY({(8F(1d+Ck%=3M|Y~iJhKl&?xX17)LIhQoi;4~b>)G+{u?5T z59Ot>mixgi<#NCk32#azRu?^ijR2s0DobMga@s_Dr}GdBu~bPtgrSZ;w zVWpd?X;^|`iS?t?B4e^BaR3UJ5$^?rR%1Ni!mN9mnzC7>$FKiB$*M?E0l$^95Db6L zlXbYlBwCJc2*n6jX8Jz{1G&i@a^XVZM%ED3leu6!RrP+3>go{l`9S- z#S73S_&_nsFaQ1ejknR&=WuXAYl2j+x6l@>0Rs+t8>rWfFwKOnNP^ackc`0{&g{eN z`&%+DXgPU#>J5=}MA+v}YIC15<2rQJx1o6DYrPY8E9Ut!ULma^d$Y$X7uu#X= zO#%uFgAU}=&F3JR18D;RYY$ym2f+zM&F7v_K%~tkf^_u7efaQt!indS%P3bV zB3GS_*SXX6?W7RAx@>2j-xMxHPIDxOh27#2^S}4lQ|Yb)@~gikm< z|3>&86y8q92irhm$MW=uir7H;-=TKwZcHW$?uE;}QCE(gzfvg0tisGL77D};ADw1UwVNY#xOWCl8AnA`!5WjLmrpG zE(vP3dO!x_x?gu!x&ry z_$^?OAWoM>?B3A6BWh*DW#NOg_()!gcLc1LK7r<*YqMgdbQF$VSUvW!9XLyo2N>qg zsm9=hQ)W*eI!4jbKp+2)vq{hu4OIKIQjFqCB#I@<-mU2Dd}D5L{jRS+nUK))VDZFN z#}Ds+oL_M4bN*4r+7mkG#Hd?VdA@L(yQ+N{>w=Dhb6=dcIXt50!4Vr(N5Jg z2V{BUtf9}b3r8uu`@t{1r}OTEqzhV@@)zTTmXYD6gu}LQvq9JKPTB~Ba)6gN`jDU; zwqrRVpNgDG5^?@J+Z>VSSbgHHzs~Mufw}|RaJ_@0JC)%{UcjFr zOV~acEm$b&n(BKLVK{ay%<6N~)wY+gS_atShv)(-k3T7EbJ(hy=Qf&z4#QEH00F@- zybF}dxxAr$_a?0EMZ2p;%k!GE@9*_xVemPBw?uzhJJ~te65UuD(K_c^9>HJiv!d~< zBzSvpHNSd0vp?tW`;MS0HCn@cq0?yz*8J0}rVhj+SGm;DN@;zFRS}fc?I6fH5M3^6 zzs*7cVZi_==Ia*CVo#6xM~XU>?XIC5hag780}v26l_myTf8i~zh7KDfIPnVF%dt!= zS5YzdIXyF!z`+LVZy`!(^Ye9X6h$S2nByb}P(t?e^(!_(9LF|g+9jUK>uWb;6n_j7 z{q?XBO|%k66rl1_FZU=EaTuSKFxE{>FbDsJX|0iK=Gi_XbDLI&tYBt3rb3-+(D;JX z5a7>vK2A8AWNgnNA7(X}gDBMidVOf1%IojO(}|H@yKpX7OHV^X@a3Lk9-4*d_kK%x zJC)XN=g{1No1rVI%%|LYd#dyFGOzViY*jw<-cblu&ieG}70N0BHXNAQy%S|Ek@F}4 zRnW{U@C|T!3MuNfQ*pe3)8(^12?5k31@gOtUX7yoF#SRmd8Bi^1O@xY0v> zMHRAapq7~|L4aVoIvVG_auD^^8|vuEqE^@~QrD!9AiOQ$* zvyW*t(G*-kF`QC<_hLDTMd>^2Mej`vlsc*qr16;(^H2_c-1FHEo>P>OIaWb^;bm1O zzJ~Ik+fz}=;0>)9)^X3)`26GKvb&^z-&@R=uVYr{4^|!IZ2CkUE_q1$%eGTBG`+(# zX$k~l0%8Mrc6suo;=PaS#o24_x-XPqLC7t8gt@rot;O(xflVz6Q9v*rNil-g^}ZmPLVpV z;ALRIs6ASW!Jl+L0Xvd*o_>AzvqxP@X_`CNqvPW*`Nw?#x20(=e6P);qx6bq07mUS z{q^#%%FZJPFQ^5^op38IQ&QGjE9q_~-fgGyn-}}SD`+|M>{fRL9M6f7kq_CNM1JnI zg8x1d=CwE@Pl1&K{}P4!ws8hkM*I5?_twU&_zQ)7G5EtjKp+}<+&?hz?2-7pAxt95 zNY!_GADSrk!me+CxMjCT4Gj$el*2w<<-7oc^iP%q1tHr&VI1&*4W-s%W)}Oip+UHn z&pQl_1C`#%pR2|zBPHKP-emLMdE6!Q{T1<1wlOsls*zKR!S8w}17jS{i^4oRYO$4u zN!4p82m*FwfXYWALeeAjv7<|Z_QG0Y_K9v8P6j0W z7V0A!@S1oZJN1rI~sX(*D}NCe~--;5tk;qX~MR%s$a(^!%3b#|G|x`D?F$V z?cps2Hm5he=zouoHlVc6GhQ&N)Yb)qXM<_Z+v&BneCE#-=(GPjeJQ-5wZri#@UlgT zNc)(nC#UlE(#YBPP8=slzwZVz+7R-MNm2@U0>C1gOm}W?qIV1M34k_bu7pY;nn;d%X#DdGNOp|*tUiQ z`16ji3k23hYYkVqIe-!Zf=bWt!Anrcm(Ck`Kh5fuNeD4M2S})NK>>6)>kPU*Am)d* z?-+mLr3`D%Q2Xe;x6ZmFd&=|@W!{FUh))?xjg-0o9V8=xD2QxM6ngSa-M|@mlR2o` zAiSt>3+DL-I$A|(NE49=@$ama3>V3q0RKE}`duu%DI@dID}4@PCj@9njc1?}0ds=e zY$si~LgNQkllP(yzW@n#I^3~ipgW;rdVsEm{;AVe0cC(Xgg4E(8RY9-qY??cZ6PtlLbLmzJIo^d3o zfXWU4`x^!{XDRd%N*aKw6<&BB`8d}il#ePK!BC+VKvsPNTRQKZmiA{?pBR2SL~^?-R+HhiUBjSqLdbgWnV3ugjquK3vz_Xwc?(|Wf^+9#3kqzgqovZDaTB-%{jV^z z9K;wA_`|x(jqA^FxP23h3t zeCvuQ5aY7-tJrj<2y4Ed7KIJ%qnU&als2SHXU!%9a0%PH;_3di6e+xI<^7p8KgtWt zK2T{T=kfN&hS00Ydb>}0?k6ve+EqXO>KV%!f&x;c{QX-&m&KouU%#&1SVfk~fFHsF zB$hNjH9)dsHyVcCVZOxqPW+s2kNT1jUQ$MH={9Mg@^T>r9{vJm=6$byqhZ33fyakp zZwq5Nm4*;I%mX3O3E_9vZ1Qq1&xoG2Y>sMiMb<@IbfjP8dwhYGwk7=|DMucW5bPhS z*jGK15w34AXOnQ-;#Xwj8Hb2yUeO;sEastU#+vX^^lCHD8hYw@ZLiUkG12W6XV5kU z7u6n0O*cyT<{MEa9uD-xmhiTyqa|TAI^4anYBEvLGC1=`aEE~3l=eEZ`UO&5M6Nt) z+D=uWkHl!{S3En5<$pN>Q0M++JswxeE4v708Q{-H3RY`s58A0-SwPe&vL8q^AFsv> z(CdTtDClugd`cf6ekvHaA*1dbHkY3V7jiE^u`*Hqo)-GF>pBIKAbHsX#IHbNs0tL3 zQ!D^i4=UC48pGlt9mXOZd<6HN-8rr*9_r0l~3hp(R7Ssi=ZH?}d z;Pz}Ee(Zh^i^Gc2`@hFNLeiDgM+Xs%_ie*dAl7g_1*)GS@z;59Yeo7MHqq){+RTrM zxxg#m9X9ipv-DdBVE#p*6h{x;FmFTV6ZGAbVNhOyHvZL?kg#y9nr&q8>S!6c?jkS? zEmWgO$QIvBx3aFE{xhTi-i{2ce-#iA0IR2zPeDdBPb#eRM>Sb8G$;HTN>WNHlKWSs zO9%9mp?nARst{;lLg|Vhx&q$#4Av{$+LO;Z z0nSuA>ub8Oe{BdT6Wf-^J7yev0_S-yUq$uQL5IWf!H#6TDwO?|D(t6)tz}L<1#A|* zQy`Elp!q!Z%j>_%AoSm4aFW|nIU3F*k$%l2%^#Z3hWz8{?KTJdwK3~IZv*LgP?J)y z`6lN6A0bICJv}|>0W|GfZq{WXVz-Yn%sR_Ak@2yZUCoH6!Pf8xCuY1%aWn`C`n{@l9OSf(du)1rlDA(5wTRlJy+s(y8E?$QWu z#mC3F3V~FtsVt$bCP%;WpDm9 z`uxj%WS4Xs6&H(O7%&|A-<_OIfSot3y2js=r7n%*H0q~m7G|4){Sr_Z^KEz)ppLVi zo=g4qO=+tIPc1N|ce9F*<>pOi;11?ZVD?$}bi53>(OnkYxQ5GhqL|#}(XxnzIS|Z% z(o9p$ z%Ys*TX<51|E2QUw$rt-zv4UcV`M>?3;kNdAz?iblr!v^d{H3no^@?=rgJrQLQkhmz zl@HsWVKB5MiM2IgI-(GJU@SjyKG*hCqHn&ura`&IoSCz=e} z_m03APW)aN6it&SGc>qkFNYJ%IRh_%Oh$h5wC2Rx-Y?akZA(*)#xknfUOd^;?!SnY z#}2=5D(z^Gg77+sj%MlqJ)2PPYi(uKqh{;$_zov6B+ab9pu54(Vfr%p5*3x-uk!QO z*B zl540#$r$26M&DiQcyeRw)laHWK2#=Tf)<|J98OogqS9c<@<>idgydZ;JALjCuPlgF zqHp=+ljFyz53x_tp*YLzH%yP$Iw3Uwv!DdokOu_el3mn9q1D-an@f#Dy)Aq>E@!WQ zug0}?0_4W_xtRLiEl3BbJ7~IYyqz2yiv!j9Vwg5sZfSKe%U<;Q;*d@MHYx)dwFW=_ zZ`9&+&`)r_v-aPOy#eb`pTjZ+I4*fvjdeey65>Bk*U3QNK~5e4i6^C%&3RW*O{Rj0 zyr(y)%2kz%c-+>j#dy{S@u!^&o<4^sR?4q1hEt{Np@V35^^fwb=(2~p3poG9;9 zItS|u=J%GnS`zibqt|X;U+S#-u-B(+PJF*k3Hpy2)|hoE6N&Zv~b7*0|8&v`Pc6+4;BBgYjh-k&emIyH9% zyBM9&o_3Q)giWZ3PxxM`-0Opd8i$jP`%41u)9eIX*^u=-+v;xV>nTSLULQUKT0DAr zJh7|pc%7zqi5AuU1M>bTm~b;IG`u(F8zA^ao&XEF&XAbUjC%Q-b*yn&ovvf1@#4w( zuU)$ZPZG#5R3XDwOUok1fXh7e5BzZd&5Cyk$Qa_Iqd)gs!-W*=`d2u`->ExCV*=D{ z^M8HxI`%#cU1?8<_-S;4Ubmm49=*zg z*hXUi#!+}uAcwm{3;kux_Tl2{V4ls?H*rnzY+e)2-v`mJ@=xCRY=y1&&+3&LXrb$L zp`1DjRSv6KhH z4RU%U-s9u$E~Zz=XdVj7E(Zch*SiUj7YE0dOk};~Gl767&gj{r@Q4T*w^fF>coMwp z)AQ6_#s#t|VzA0bQtF27f$VjUTu6}SxH1pvxOFlQ zkGe3HeK7@_=aB;J{c`4TUut)E)$x8geD3StjUYT8I?9=y>K>ZpfJZP5#Kpv{cL!^u z>)aN6p5Qj3y&jUcx`OcpOc6~Bx4%9#{RBYeUuKdf9EfC>`#4_#+vxmb`az$mt)*pp zKC9oFx8e1X0e<|KUMuxb`5Y=N%jsLOcOO1f!qw-(%b)>dk83@_)j&7ODZ6l0b^7T4 z|MBu=c1}0Rzejk}3i>7q#&E)D${qXqRvK8J4R!tYaBGQ9&J`rQ2+`{~Z|^u!>lGgY zrgoe=KkK!ENmTCLGr>K7FpTw)k)=Go6hY`qdUR!pj&I*83y>g&XJCVR?hmWZa;T&l zafaS_Y~g9^s;d`33i5*tRaSA(miXBTNbvE6mjrJ(&RT`;%##*UWGl+yn++XizL(;) zY*`#FbC`4JpXLR@hcCpGD>qJ=Rn5QSYgjc#%UeN18}MYF)GO6;sO9(doBnp0_+pI3 z9xpr3AqeFq#qsoi=T1gfdv);F%i{F|FT9Jb_m8zt+m7bn?xy(|=`I-y7GeSlcpa1d z%sxtcc|3jk)thXT28vh3J4^tJIN3E+C&dieH?mjCT#$(I+nU&qg$Sg;nY<=vL+x5( zu{QS7k9!nMCH9w2pLjVB?#2#CYaIVHH8m&hrF~YBh_xmRkWJD2S`9@X2J_JlO=9GN zpdO();C851{V1;_*|qtoqTBb-{$`Mo=knqH+UnXb+S+GnOYKyFvh~;Ng#;u#cWgzH z5)vfL+hYKk`i%SFqp=d48A!CIiT#nGrlz7|&gY~QN%Zw$){DQhf+nvYa*x+|y1_Q+ z$EzbHVc1H1OJDRnuGBQY#ncTD=`FdqQCf7y*V}6p&;-8J% zyr7cF%nW&C`r}*cP`?js0^Qu)glqv5p1lq%83zn;3JuR}vmr!1@S>sBBi%Ff1+=5; z^775_(+#sNUwBKr*t^pCUI=3Rj3pO``KVp_@fjQNQeijCl@CcWKHl(jUk-19BwW~A z3Yq``dTO1dP*vjyB@WH({-fhHSjtvxiT<2?O%)cfB6-qJEn;iG3k(0dWtqJ94j0Q7 zN5fI#r{bLco1N`cG5^h=^V@CtfFmluet|AKSvS627$H3Qk(unZmnd!{9g{JnG+g3c z*MMFjCpXvJjr4^%Y}sjnY3oB}4{n?bFs;hqappIu+ycS7P9db=lUYwS1TK^45782^ z2l2fm^Jw9MDYQAj{?arkKm73OhnmX8Aoj>wo%xgJpK&PDJxspBKfEI`UnG2aTKKz3 znHo0h9Y$!(?`@@hzwa_}>LIeiZ3UPjk3*`75aU!+_ITh815M!N<0bW!s<&W zC&34h)c_s)URXOsO52WC(p;hXxdzn=_&Q~S`qeD%3$J0kaQE;C3JPM9aD6lA3X$V* zIeB2kHuXGVwx_3OBTi13w8r<^l>VNcI{Ws9&;q^7u(8w%r|cOlT!ExY6G{;tWErcbt{+pu0$>KI zDu#wks?kSmmtGmbgz#zu0LdZqog4ljjYOh1va-%?>v+ufq`>aY<;xyoJ|~hQujP8j z#~HIf-g-`8ad>!mk%lH^6w;zWJ#?wsx<3o(+Rr>+A3~n3X3m+`*SQX(r7E9$KQYPR z?~n=4Q@4i4aMmy#4Sdhzb#hS|b#fo>$DSYS7K(wMRfib6dAsz`+}8oea!d%<&3SX? zUiroIJa1Tb{Mf|8L64&Vw1y)jkDAPz$Q50@ywOhe=AyEwOA5P`)G-{4c)+VJ-#v(L-XYH4_nuM z&o#tYI?qamlv9wi%+w9bu(04nwgD0tk3o3y?R9M;J_;0$oW!~;Q6ie(=!9 z8m}6$p~MAb1JWBOgY~r;7==_iSq2>9_Hji#QU3Vd18i^`5j-xw|JS zQeZH6AxcyOza8rhrr*4}?|uk9{$Dk#d%C9Aw%%X@c+{fuq_5WQ6ih8n0KmK0dsrz=@B%MQ^k~7?6By76fEt9&M>0SH)ZduEKr38NTt4hnxY=E z0AD6X(cu018Jp0A2~#Qx3Y<9K6->wR@}^Wi@5bN1aOrfkw6q>P80S$dVD&P;2PBYQ zle84|*F)28u!{k5-o5IL|3i)MUqosTKstc{}?(U0ws>c%h4OBb9U51hrjqY?LU{~`rqUU4;a_w+vp(Hd|9b0Q15WGKgIG?S&&z-T9H}T8 zA{&p~;btE5q^wgZ-|;Ja)4#9x1|E*(z^jfB2Ar#93GHbfeCOlD4D9gzQSYf#rSei% zd45s-s9m)7b8~GC@Kx1V;Av%lRV`L6yz+NKlF=(SjQU>x9_(3~`Sd#x-3+@$;FoP=7E zcwoWn{?CN?sQ9`(ld2&G24TN4pbUk4Z_I~a@V)U2lY}a>kPaZ;`~-i4>Fp&`18GBH zOK1+SZDm3M0!k|9aAU2K$L9ssWqjRwMCii*s8KYEoExQoY<46>f3$VZLdxuMTpv}y zE#SY3&a^2R7$hlthON!eYES)ZD5dm0HK9np8yYy;D?4b#dQH@t#HUH$WrYI98hanC zh#S~qkm

M_#SFeOQmMz_Hp}lBA770 z_aM#Ra>I^>MOUsyY}qbjdiYdBk$9A^e&N?rex>n3ktufe-;Gy2ekM@Hv+3~$_!FWV zfA8KdOKE^(R;{{UVSMydmLYOW^-f!poG7PX&!5+Ji&NdZ_l)#mfLaP3JU}8;ZP-&; zA*QMF>$!89-iO@c3L(s6!OMDcWt(}Nw)Ek6<~hWB%%841-8Md~IRsu}dYb%QAM=Gv zS#lB*WyN0!3MQ;$Zm=*lbRw#qT>UaJ;eXuA_PB}_YcT6-Wcv0%?Lrdi)N+B+KJ(tO5L@|`Rzdl zC`Kn7AP!y2*%b-;s-PK$#F$U^*wVDvYuBxVs)IgnN{GlZBgYHraU3J$yhz{&8dlZ! zIWGnyG9)A$C=;S=Pju2oN1ELFe3ouXAc=t}PJNwH7zEZpzLv?8 z24G-P?rp$3yI1q5NLpxsu4?~@@N%X;Z3qjm{!4ph*T)~=l{N25nu zl~3#}N5?lv0YM)8ZqJ@-o$g!fNJNefSPkn4-YzgYH3v~}DMgDcE&@d9^=oLf^iDJb z-CKTHhJs;vgkl4gUWzk7N3T>2=5f`_QF5MmK(XabKL%2WRrt_3| zEhm}$)T1&bh|y$?xA;f9y*2pt_kW&`Hjgv#SP&gRgJ35xa=gOso40PoKqkk6vkOTk z+EIX5?LgNB#W&^v;&@b060%awN<$iKa(a?-diAsHiJ8>W*!#$r4M-PBMA=_=AX{;P=uh0{$1v?UQ(D2#;mU<^gS6w{&+JvT<`m;LsqBsr%cN{( z9I|{#G;+XGQGgM z;@!&XQFy);wz*qmWoz{zSCEB{qXI3w6r7CY6V9mafxiYOynd)eR$IW&!^w|QAl;at zm-3w=ifoXnIK&p6CVUcRIM|pPTTdnxw%e0S7pHgrvdq{8CByheXqQxLRV_i6JNB#v zEqw@F5!B&=uUv`kfH4Im&?0GA7cj4?%>eDyrJB|nI+U6Q8{Ha4J>!sOwOiLSYk>4f z&in7H&VZTz65iB`3DDXzPU+fcO*!q5t6|=`w3zi<*S5-pqn(M0$;K16SgXzX;>m|} zbk=omo`EvW?qbSinH62$lp$1WKUU*sraE$(bFtO%R*8g;1}<7-?U`UYIzO45Jm>N` z?t_cCL143EsrMcU&ZtXJQ4vapxBj?62^F>!pf<(V#PgVOm$^iTtmQbI0s|qEV+DJz zE=|g=RAtb%&`UkutHyn8X~3)PMj3H5{}lOA!w`|pA8>70$+pqlmTKpP*6t@xRPLGi za6yPrh@h-)kCOE26ow9~Z;Ot1ZBnN3oXy;zExe0!TMJq)3ki-zGrlz6#V#we89FAh zdr{56Co=*Ke<^EUvDJL2Npqcf_!6X+fOUqaUa7-2bT{343VJ& zV0hw0%tYNZz)*rh-}^y)VP&)iq?>?=nMNZ1a^?)q@PjT#ZX_ZohvJBbH*9EGaO$+u zQeoj{u!aHh<+`{t*fxkcQMw!~oPl8?6h$)>T$@1Oe?%?Hf`11IH4N(rW{A+f+l(^X6W8xg@BY5WGPMj97^i#&?yjLv-Jjdq9BQSUU}KeWx|U^Xf`uqzTL#G&-qN zD!R~^?}QPsa)N`klo$K2?;HazWc~W}AaHHiaB|?~BSbyWEeVPz^nLn`-(6Qw3;1Ou z1;EO~ufiG=97xED@Q1k~K8I{2L_>UheL+)!u|E5y!0K8et9wyBQy;{Sqe}?wcA?XRMrUIWbUmu$tcYLdnE^vh|5yoV?T@h5 zI%zi``dk&GnM!;CkJUT6D9>*-s8*sS7O(Ro!FAhHN4y&zr+2TP=lc~(p1D%{2<$Hb zcqa5#d2Y`b3*yJk!O6+CP^FRDCl4iyml@N-P}EP}-TdZS;Ee%zzM=k96?3k^aX(HF zLV0e#)1l$nd>Fh2-2Y9rK?QWP0N765MEuILnGB5haXG;!1B7j951JSH4dUd~8@Y{e ziUboWhk#(8R{XD145#Z7#+T}#L;=m4s0K`9KkH=C*;4=esy)YRjgQaQIo`PBKg4AD z`|m;0|EmVT6)AVCs-rnU{7@OoghK!kZEb>X4AjMcx# zB_=BQ@2Y-0azO<5zcc_e zLE^_J`1pdjKY`d4xz=yQ$M1Q*^HBHZez`)X#3Bgfjbcm}<>7e?E+>B6aSs@SL^Dh}M_s7s2KRK=1_R3@Sg`f}u()HfGkGVeq`adoNOzQ_Ow0!f7Lp$9x zgVUb5HL`iQsk9oh+2hlqNWXjT>vpMD#WL`sGims`gIf{dY;eU&x4SDJc~_PUVoR`oNb-Nxj{GjQ1PRTrb-( zwxI`@=^zSmiP<5;mn;_R?OWM8bKm%d7Xr|7d~P#>Hoqx}_{8k(w+CWL_%c=13*29Z zLL?p&R7CDOJFKgV$3%(l18WAV-UseFCN2)LvtSLS6689bS$iqs8sJbpPDsxg+%Le# z=ZnmS@Cz4KbrYXDqBQHNW|n03_TL6k3EWmm$$swDKd7VA;gpk>ntGgj4WMT?^LFXK z{aNzoaXAa|30yinT%7yTh$r73KGXMyZ`;>PmqH6CEKHF5>bLD$zRPS-bnZ3e{vH5|{=l-VOBO{@>4K*+BXDk5y^zDMpzGakSam!F%`oPlT z5}3md#VGCzZMJRNfwhT@l;mC;s8?Yk$bv7vczYA(2h-Mmck#c}5GFJthMP)|c&vM# zws-MR-R*y-88IEuMTGtB#1#I~B?}qo=+vCdH$V3;Q*wy?d$nZ$Dr-@Bj8RhJnA3>( zKGjp6&?flTNL++G5!>$i@p`=B$*0n4gz+Z+qpeg_Y@A^HqHnu5(s|n?5c(NXA2fM`Z>(|e~zW(}UyLP<|G-tbcj8g^V5V$*TpXr4$sX2|HadTf`rcLvgXxR&m z!<>FN?_M+iGrQy|o}X{JQ>zEn552CQp{Y8}wf zFv)g2iFPg~#G_&d=8w|bZvYm5y|}nFn%n$@ifC{vt~#q3X}2E*9+dBr(04?4_}5=C zpM8+m=|#z{q+dWhLRk_e9!Oe4d;lMG+43&V^CJ{xvC~0GL9={t8HGn59dyKzz&@kK z)D}X7;JJM7Oo?JQ))F-}R25NAoLEKLrOO0v_%TFdt68gcrL4YADOnI? zYu9+iL%p7~h;lQgTRBN^`u1nySp4|J3ps}vlyDLf_H$hLUOXeD;C+3wtf$4|7Qesx za_DlR5{c5-bd484J@Duk3hmIFp@;j<`bIo$f??Ly)vLeb*y9_k0#hxj;~*;bwj8|Z z-4akYL&gWtZb_o3I`gacfEQ|nNU3svD~R<*;Is^yJMhpt000e>r^Fc&dYPw}z0+vD z%6oC$foxFd+HE^{IA2cRz00Qe*MsT&lQf?AeyLF1`;*U}`L0lSm3J0%-RIBf`Lqz8 zQ~fPR{lDXjkNlAKu*I%;%{{B>czl+a!mIlyZG+^DlAgS}GEnDw|AHo;=;Y$dely*g zz}=+*pB<=C{OP}dTRPkUHbZs1E~B}`&B$)=aeL2GJqJb%bA}3iHrecdd`0-H#Ty%V z)`Sn5otvn6;T--?J?2LaTNjAkf%>=jR@J?`4}Totu-LHZc=F=qi@&{c*>F75vc_|; z`h29YHY0n|J9+d7&6rW#Ke|`<;O*DE%R8!M)DldVkv?j~^mnVOwZEPuBn5naxGYVp z%j#5OXH;+K%1vOu?)OoNU?f@dosTFAZoRilO6}uSTmNohePEhws0g3;HmP+^H4_g^ z`FGNL)7CV~i!=shhxYk0LRJVa+Mw}i$*wd)*zF?;*L{@wqTAsPW1_+L)3u{10(A>B zm2NvRY8&^hE!3BAbG98btyL-A_xWdhn%=+f`6RkJ);ehYpn+F2<)5k+y4jm~y|bhx zTTVW`u|P8SAjiyx-+b4u{T9^w#nr*Nd2|EkHkY8GsiEQLXH74hE8^od@$;(eyCgdu zDermjCFUB0im2=EdRB7x(#t_#lZFhNsTP~S3#}$L&zxVqR*As!E?c~`)$Xa}{jQlH zwP}_WepV$0WtQD7i_#V>lWrb*EFJ0DoVdZ>o}n#FBd7HyjlO=~oF`b=vc<%&6|-mP z)n_%6Z$9=>t?ImgYv?Oz#DKm4Eu!wX)f!vn=@1dlWEcPI6G8LNocY7-cyK}~AwJ3& zkJZA21hDHV0j7;JCDXqcZ!G%VIbIK17Z2*|7!MEkQrLWyO}~W2wU2x7O1kuh-$@m@ zRMVktOQ`m`PGwEEPKEK?QK03N(R<%*s$HD{{_HZtGc6SqLUYgXF1^L8|1}b z3oQx{&>0zV%L!DX9?i1p)L2kHWzd#T_sObj0UcE+G4ml{mJd(u?Gs+UJZ9a#UAsoy zZempU@4tVQz5zoZf$=CnLJ12>o^qoit6;HJn2O{LezDdn8LPj7zNKnGMB@8meL`0MyK^*CoPCoEsEyU^r zt{3+up-BOhT8jL7+J1T+SnXlJ6>luZYm$ZZcNu9Br34C0sMG}(*6;4IqW?ZFOR#oM zu}&S*L@I!dFYmJfav127p_GiqbB!zbl&)w~XUZ;LzWj1n*z;%4V)$%GCL)>+>9kI> zbK?WCS~om@W{UoJKz;l4`R||M+u*S9ym=uhqxPc@LsyaQlo?lel8nO}!|6S+YJ(^( znU4XgI9^dGK_&s-uMwSDP<~Lw!-yz#^)iANhPUYn+!(sWy6oq61q;#jXA%Nln{<;7 zhl198)S6)WC5DDfVCAf}ldnhI1$GX|yAuH95n2o&@5>j9%-|;rAajtoCLb6h4MkQJ z1gP+?5C?>)coa0DU>`9=q68H+CV@+__y6NB+i!$$5YAB(4dsK12KU9Rkp8>-N(#nEv z%1EXGRumyRp-yoG!8|Z!iK($(@y^kH`9D7TB0bh2?P0rp?6UfF%i0X<1_ayYaxla@jbn0Tdjz#xxqG1byNEZnQZdR5w9@8K=cJZV|SP?)37Val>mGbOf1LxwdV z4A4o$d&MgDf%go$F$J*O*lJ9W0cK5jhszUr3KSBRIHRpVViICDD^`U5{`-^X&#gQT zln6_y0UH_V^73=mLxNOD(o#&heY-yjs|~hT`Swo1?(bJ(d?leR0)!Pr{;K!@h`?KH z(@>hMN+d595E$!RgSGgW6)C~<& zhjnR+eMv}PFva6ZNV}7>IznIsSlIv%)2Y#z6?3>xnM|jq7iXQUT-SYmVt3lw)vI5E z}kJ}Y!NwiMihvpe& zE}NDASk7W4WNsN>~@@x)zC?a zN>hUJi8)E$@dR>Kl5@wws-yYP_5dPQ5~@A)VhHIBKqSQRYq3i>$^-@6AngW_qCHLp z3uW~vK451>dX9I2kaZ^`;&)U&SjqB!R0?LjJ$EQ4$=R($Ut{5tB})j-7~rdw_0efC zLSN3%IPezWmW$G8jS_b99G^955ws;F8=ZnM;;Z6%U(Hwj|-7T|T9)MPY z*bCYlz&99QlfmlQ9E3g>#w;V(_k<3|n>P|B&8?2|CN3@Wm)^^E^QKl{BOcB;3Dl=< z=d`qn8nimFn9%w=o2g}c6yneu4La8rZa`BEMR!1FFtH#e<`n?yli0aHo>bogY*Y}E zjxgDo!>{)*^auK-ky2Y!cQO;sJkSBI-ohKVVJJ}xVBp>^jkuv8+ex><=+8#lm8BOMn4|yd7ej3J<~o5M8Py7 zEMSii29Q8JW2_46A?_41^~TUN!A4CQTB!E5cfkPoykIqJ0E!G1e<+g^Iwr?Mo!C8@ z&Ne|M;R++@!EP)elnGoFSi6+9f5KENDC)O<{q46@+(P^j;=8E+3Qn&FiH3N3;l+eiE&B)DEVCG$}P(}%#Fp%=*RRy6dgiY1tYTjv91ficq z9p}C#Iz1k44R1ockk+u6^%UAj;0#9+JRczTZzUz!V5bm{3Sv>HDyP%T3FvM88-Low zo-#F22mBs;eOYyP^|>QU^9Y zWWhCJ_B$-*vR`vSeX~$)@K{Uh9*KA6II?2d_F*fAg|jTm?`sQtkR~6ha2mf5A^9qn z27p(|!3JpDx0KJj0Kpc20zf0k_T6!T8P$iFby%161WX^bIYd1Qva2AiLFm6g2x70Y zGV~7ho6lBekrppsJ_^MKXDPL+xO$WMWhEtFb}?@T8z0JnzVZ|5%g95LbW_GRlo){G zEw49~<#Slcer82L;5woHg~R4(`P2GocVETVC`0a4fe^*so_^S}*vua> z<={?YNmbhsEC?%sAu43B6(F$K*pof=>CMoPg2GPFrAuoYUcaS={xw%f3HptcFVV!Q z3~9_a%$(}aZkAT|qmf7IE?5o=$&a-5*&Ej{?SClR*swNynOlemqyeVjV`PD#M*aSt z6Ci{5Ux;{U8MHRQNX2H2*N$g|5ONg|SlI#pm0~o1-aM4eX*m4AkUL?bETse^l~`iZ z?oh%p>>&bHLNgbt0L=C(K4vqz$?iCD5d8oNVd?&!TYRGiPt*yeEuxxekg2YSFj+^l zx;w6rd7HVky1}ZMVM1R682S;9Ev49#Hgpx~qO!84G;NQ&fUM<83t!N!)64ZL&j0P$r!wQ=ow6IE8h`y-KjS=OrNVZ z^;05oTAy>Y5VlA(xV;*m6m=L1=pIJ&+8X`Hws(QcL{zV0K(pkq6am8^1OVXFPJ(I= zpdyN*h{lG&;>gFnq_eL3N>CAV1!HCuI3$o4h47FI4j#fBi;LA_gt*ooqu8u^Dy$y1 zLMF1I*Fb?+Ie@h7o<0swsrL&8K1_@eVlA-ix(RyMoDlYofxU3YvQ`3hpRc~^f4D?L zaEHr5`W+lqa04JJGX#OHf`S4u%U}MhqzDz+xIzyCJ4nVg_vp@XDE`n zfvFfL`wW9mhBe)sq|`1!RcH)S96Hh8S!=sOcDZ^>qQSWYyxH(f2(iWAy7j#^CQG;= zas*WWh++k#Wg4@!n`jCw`;;EjU=VQN&R@Vk>U8QTjzB++hK1NlYg zfKy*nVnjU01KwZ3LJ%4-RyH;q2z3y$X2ypVPnCv91MUt%DLatNAbbROI{@AX@28&@ zFOf$ALj;~g9O~;EEN*biuRn5XLUiTIm21}Qp$F}|>2xp$BG4x>@d9BnGe!O?)u&#I z?u!87&8<+IY-ptsX|CTbHRN4iT%8jy8$TFx4=sd@JVh1jLw(AmI(dGJi}L)~j5SLL zp*)!SVdp6&i|b|n_42R=Akmb{UuE?nKCaLD_IjC@`~yTA$HRG-YS5D*c$BV6m!`z{ zEjzTOs$4yMeYcso(+qubcCmpPP5x2*qyoRT6?J_+`#hTl3f z6*!aLCbUZHF-B>C5LeXS-Eac|3I?6rP*0{d{<2^h z-e=LBTJHRXUMH3kR29x^xpTb32UXMt+FgUthx$o%Zm(=}Jd0=pmA#1(FN7M6u}3_|Cp;~Av42&~x&=hcx=k$mwS|F)jdo2G1j%N)<`Wh^$oNglg) zuy*A8os&7mk55T7Rg1w`W8{@DRBrwJ{LY;N1iB7-n}p?PJufTNeRlQjw``4BReU>Y zh)Am7hUbHgt~s9MoWB0-azDeo?%)jnyaRGw>gUp3bklBRWsSjI)8Ooh91BKj3Q{g? zRAYn)r9sK$-ESMSvtP5iWm;RNh(m2lu|^)R!R0ycCx#EyO`$+QHN(U zc%k>xf_M~PO`55WM?}@R`RTk?pca{{)Ov6X5^qG2uLo5bsk~I;YiB*r%eYM6(K1L+joG`VqR)NF=mUwVX!U-^sS`o>%(&di zZs>zls%Aou_XE$18l`H3gA^Y5XS#}{+#j{gjs~1N zSgtw+{zth(=ez4j91T*A$zX7(2!=x;`O{H9Q`xm6OY}h+x5c{(Ck+U$1cWOGG4 zt#;-18v7k^vRBf3f`6@5no2Zz+8W$C(QXEIb@9`iYNqXb!PNl2s`!iCW!$NnMW{$u zj|ojHrSBDsHq4T33~IFv(qkl8=g*_xZXnh~BjTl*sbxz+* zsdV;>4U02Vt)Jc*K|PAp3Qm;lM3UTKG~*mJkpfbO?4I-T&WUVpe>KrACnKd6rXI~` zKQvWL6%CiASOz(I`V_Rt)hv2}H;;$6*(BbaYV3!W7GbmfIZ|@&&?#MU2eN8#fT(mz4$}9FvAM$PkJr zC9H`ltl{f7K-GQP;l?oGdfXVCP5%9T$yv zNW+jlW`LSR7Fdb|r5K@qCxp4~6tCvef8L{WC%fUnb}JyDXBR#tZ$^9AqiMz6f!NKNM_rJZW27pp78 zPRWOZ7}q79`8?pt6{zE4W(uW{s?oKokGMg=@o^#`7cIib%~$!A5<7HST|WmOVx3%5h6>cDrpr zZaWi1)J+l#2A)72Jl{f?Z!3@MH(Lw}>_pB4f z>=1gKr~^Wd38F)ZN8R0X<@K>3`}glh`(65s$_&6|wguz-n6~%SUBh$pMXdev?mBhL z%Dz^pO5AE6#!!`2JLEhe&u*0b(Z*x*N=219lhRmr5a&7FCR2x|^c@~C{jd$tZSDj0 z^^4Cw`+Z?gRSnYi31k+8xGE+aCtj;B>~SIl&{2N!z^#D#B<jw5@);t~%gBC)a$J+J++r>iERmWAM@);sqIH`b6A3j`#;hG9G+5yZCtOw~` zC&@4iy7zwLzdjn534=Bq60!~qzZT@Hd(jse7M6>KIoQ0nA>aFbzaIA{-C!AXXTg`g z>*>Qa45iW6^+rmRZoi2E`yWdK8dVPM9NRgT-gu26;W#hsW%A`NG&JVTdrqk}LXL`I zTo{k3Ih6!h5IP3x(P?+@jv_)XdHndZg$uPqLAI@WGMy2l^K1L;HjqVRMV*A`ctt|7 z2_kE|4yaH?Iduo)X;z;bYf+x6tTb%7zPlAZTq z*x)oBo*&sb2KxY3EqV9F&xFzxt?zEDAM%sf1JK@wc2!%#Ap(6A8bRPc zWPrCshyxM4V1Sh&vS)3LnHtvCbOdzZH_JCO=Dk%$n(e!8N0A3tcppIeg`wBfg`&k^GOzE0cfp!aW#)C!hMVFESz`Nhg^;T<`#us_UHz2|pMCBC@g zyeIBkQ_|+;TyFEocWDosTkMp-XB_(gAmb-!_}_Ejevp43NP@=dqL2i)IsfS~a_`ZI zF(t76I5t7~SLTjxi_ZPustaYcQIvq=gw>m!V|8Em`lyrP{$}j0*sz(M@iEZ@e=kh1 z)^>EEG3etXBEhA%+$3NBVLku$z;FIbr-fL0dqlxL{~_$s)jt7XJP!Lqq`CkU4J-Ip02we$NKwghH*!~_yo&3Olq z=_Q|w$wqf3N=i{x9Cv~b#!V6f~YD!)bmU z@fH0YsndKm{CHY6c$(}?{NK4*V$;NG{P?2O^sQJJ509F~BU{s9BU?A;d?$TKse!$j7DEpoLIpXtwh6}ubk6~`xA<_Lw Zg~+dM7KaOdBFwz1vijbn?~eTZ{{S>&MT-Cc literal 30790 zcmeFZWmH_jwk{eZ(73z12ZzQ9PVkT*!6it50KpxC2bTo*1cEm%!L13>Kp<#v2=4B8 zb@tu+?2NnLc<;v>cii{J`H}RZyH>5LS+izM`MwpYsji5HPLBTQ(IYHnCAsI19w9M2 zdW6snLIJ*^U`n$FJ`h}>vG3ga(>_elpGV z;;*|kqc5rc{lS6A+cMI;&q;QP+5hKI{&6>}!Y%fnk^O6sZgjb%#Tf1wAOH0YdW8?pG;IFxdq z0MBsie4F>z-GSyk2mk8(&o7!Jh#wM~O&c`-A<%#R$h+e4*EsP1v-lvUi*0^_1=0(@ zO~@;KpVgSf`L1baOJBA62mI&Hz4JR>zUTKhOU8daFINFs6u!Q8$qh4q3jm*0xuai6 zSz!OaWC9=e8)ZQHD$T#S{+e|%V=gIMWFOUEbC%{pV^w&gJk|1-#DWq5`7n(&%Kp2w z@xL+wO2W03-td=_XeI(G!AS1$_rlfz4=ZLeI{EZZnf>YM8NOz8vfL{6-_!d9Jgn}s z-NN4kQwBtzX!DEiuQ^P>ANI+0*x;{$vBKwzA0zg+&b$I1Hj!B2rSjKWF#+>^mhT+? z_Z(D!hrRkC==k@*7=iiz?-Op&uAY~I~V`?bMEaT z4Fkh^JI?;!+vkm3Zb3tXN40`iM)_aUqy^SB`o9<8|0mk52XS0%OJCRcZ}alcUHjkW z1%6ikU)b*d^URA8(?w%JImp$+BOLsiyUd{B$sH9L85#yLCx}C*%!UIyW?{Ojs_KP& zMM|+Vh|{o<$FRkd7ZVdRq^+&ZX?vphRM@1lueex{OsoYleatg@S`V3ZRT6O&a`RODlAF==+Sb-)n5_yF3B;OG)` zL}gH5W?@01&u%9mAW)8{6!+xGlnU@)*fx7w!;p)WN!8$;`30*C^=xZUF52`)K~b?T zXngfJf*v?N=xO)Porlu}%|@~%lp{tHM19Wf$>)br+UGr|jnRfeA7OjVRKGU+S@JTk zsE7qE5eXGLWV}dYgvnr}oDRXk6l*!%Z4Pe~rGB2N@>#H0LHBJ^$(kjznquHsM`=Yf zdzo>osPADX>T*vcftigBYv`+t3SJ#OL@en*Tl9$Q`}=!Bs=R`4mfsTzsmyvtC-jhO zgJRqy%G6E>Mp1+w1j`gL2pP_D7aqOl^RDtZSb%t){AQHHWgx{%LT2RgK>Vcw@+lOr zFlm=8Z>JYskr48z|2goKLXRu)H$#vH(1(9|q`@Rb&R zGLg6C1AU@=IHgGQjn5#z{@I#Q(*bd|;|+ns@GT)jxtCFq15p+O@z)v!OJ85#*;NVP zVE&r<=z{oy^n&~%6If##B#Mn!dP$Q^xmfn|b_TK0T=*Dno zruM}FnBt9^Kek4b>F2JmN=YV4rHcZ{PYfGzJ=4g81BD>G6~T2jG{C&inusH3 zdpkvIYrQI4mude&BeNR^4;EfN%HIA2YibO|Y=6#7kyCe43bJ&4D{7`7V#d+k^SqfI zlbuRn!%l__w>?jKY16HeIu>sy4}MLbOKSVMbnLyG+4j$RgZ=0onSFGMie^bp{W`0@ za>LP|R3r^1)J4t?5!wwEtpaWw6>K6Nr<$px-*{Gi#WexNlWqm})sFnaJ7D>&09~;C z#PQSe%&_|1OFfduJ?94cx&FF(Rc0921n{|PPB08?w%6_XI4p`kI|D6?Tzj^$95`M z_E~XajB{vtuP^RqwD6CdA;qVk#`KVRvN1@WVAA+%&exI7t99NI*#3k3*kjym&+BBcG4%t zEu`w%;v$Z2ZCiyIUApbpKOuk_blrpY^_A$H=gUWRQF;8rYr9?NE)rk#IcP0eH;Rk4 z89CpZ>n?d&+I4v7l$zQdOgLF#L;>H(*i@n~;tKVC69RgqEu98cD>p|Hc9>1JXSbt| zrIsLvWr+!M$%hP1mK${c9?nQIBBi3jvYRYJYro%Vr*1n8<%Sz}7BhYa1vOW|B1AsX zp(=S}`5AlEpsF7RtALoFOcFk(Bd-=hPt0C#{pt8dV1+}-0ZZ3^d5T+Y{#hKNzd)u4 zCCy{;LA>H^-FMfNj!o;I4zmt?Sw!+vjJ<8I2}+!LJ`izq-CZowwB7AFhC`{N;xr^( zm|L#5OJDY1JtubE_g@wEXYl>apM&;rs_~GlaACEQTB;MoZe8oV+IRS|(wAxd+T`KP zglkIVD_=$ZNNmC$QAUF;lJ%vU4G~47>(&p51vIu}srPt&(0by!qN2iS&Y|HkO8EVW z)C0fx-RZb3Bskm<7mtk0whf`4Oz>AQqvm@cJVPcG9?9(ZQMc3mY3Hpn#zcc*fXb3f zxwbB5Oy#1Bn_iW(%CzPo>r&e)H2t?$M|A8_dS$KkNOs32)$9HFZ^EsWg`{+j$61+~ zs$M5oku2G%mA_xMQWmNhy8V2~wrFyHobqyH5z`<%P{_%Bs`{t>k}4ag9)wn20ha-U zhflv&Bz0%&xt5^Vb#oy0*sG9JqCyZbm#czZlJ-cO|MsuVJj6L5cZSZZ>| zUIrYLh5>hHW`m!&5TG*2L4K$>)T&UvSMKv}Q(s{A9=^W3+OD3_d|L6Hot>^jt`B2m zZNJm)x_~K;f2AmRjfzbPs%$xawh7pm7rZiy6Tt~010v2Va^x=!n%=$s;7zDtRMEKd zL0~UpOM4>Ch4lNNmzr+QyBk|>?ezYX+vTp?4H;gUJ6u+$WzWK|yyXaQy-LW(GVCf_ z&kKY!dSiCpt;Pr!ZfS#ZhVHXG7L;GMEQe7fvU)Fvl5|lxwj|W^enf<77&Q4$>}{7; zs>jW}hFxs`EYC;96>b3}zG+%} z9HEGwT0MJWcjh_8U7_=fwwryG`i))^6HE#rd(d3HgNhdZWR5968Ez-DIX@H%?XI$b zB0|k~j$~CmWG8rI2z}%yzEoCni{I?lESEPdJX?36T(_o(!J&_vGWOwGPs2WzLYqhc zlq&WxqiHkL`RVm_#y&`Q{$vJnw@o4AAy9v&Iym_j^V@|KZcdw<{N_wGKc(;KhS}yJ zldSlh_cF5og-3vJ7Hk$>bO7|8K`}Oj+iy!{dCGrp>W2`vsT9L2smo5BL|QZSE}Gj; z8paKoaB{`>1Xrc)*QGp3TJD)s5*NP+{C67sIU;FA_gzo7TKFGt=Y>;0v-98N;TJ^L zdS5_4q#@IPySI4nfG_21C3y@3$Do^?9d_fe6orn(=luv!SRcJBQ}z=QBli3T#>;L#=0%;Uv}yTu~!ag@}?-AV-fka-??J^MDtcxEg{zb;gr z0b^w+Ei4SByLkVLnbUz9T??6F&jzc)CTK&5cRr5rSKA2EqfwE4lC zNL`U%@iFF#yOT5|(-hWmJ$NjPP-0Wgm^hc#py2PQ8>&7w{2MEJ&alkx2FssJ=xcQ zU?EKk@K1+8zq}d~n*gs7jDW5s%yW!o>EzT-x?QzcJr~S#_BqwUDSR{Lfh-0#5Uwwx zWP}BofEVC{b;FOG!c7dJ<4FTYH6%66=VmllgMnDV>~e2OBj`mdNYl32n;qKFe0R$? zzF7|1y+O1fQRwb?Uvapf&y?qQE2Bpvwv<84g~_p6SvKN99y=D8RCUX+f!e*iT;lW> zh_Aq)$5&5|?C7~7z@ww{Eoo}ADs($->;poM2^84xx$hmQV>UgA!7o%(ynm-zOCFPn zXxIx#K3)uZ=&Ue5iHybl*{idhp)_r@Yeg+>h8wjh;hu&-vdiKh4#l>ZBGt2?NpMd> zCJzFP7G8x6!Ias%@6{dKp?RJ6PX22$(>(6XWswYGgR73g6QVKlozBe%hG6_&XhPnY z6SHgR5ln?XH~qB*q-Ly8b|?y45)Z#nDq$0uKVLpPhew1;S7Ao#;cBEP{x%QnhK3i& zlUE>S)Rne&MxxJ(OJ*t%oxqcc;nvZ)Wbfp}sL%=y(}HAvoqL^P^a(~Mb6oD|$05Q8 zgU;Zg^=pOssxt-Pf!0*~qZ_q6jzf{K36@b<8YM25f@#W2%?2n|BC2hndku@(lw7ey zbTau4s)`*51P=7vA=o3!BWU$4rXzNRXn7Hk@7i-qgBZ?XjRMN1%zunbny&`C1oNC~ zezlhbWm_-^-5rBM{&Pr=kTK&f8Il0z`4Y>aNW>>pYEN1TIq)$<>K5 zGx}~np(48^C5hkio{Jkl0k7wg)?-RUJ8Grd*U34>GOoFJ+^+RooBV!}Y`W1c535r5 z7TbnJNdvcv8yNyG2}Au_NM|;<>1kOOP6jq=vP5aIr(ps`x71^SH8MQ7D>)@)nT}2E zwQ(c`?jV#xu_J07{awPzrpCp|S zp|8Sgl0ZG;g^A`K}aA>_sn|{+;ad{8%KiizN2q^99$&<`DjOVTR_oXM0? zt8FFf7QGx^lfsMN!iN%kv2sASBgJEoQ`WN!zw6~* zdz!j+{H`7Ojl3!KH|M%H@2`X?gDzFJWRKh|dBUQg3f0#n?tNWC{8*_O$@TN?$S zEefR_nQLO#@F-A%m%3|ent~iORh=)(BomQA-L-9Ncbr$zlSkr1@2qRONSOM&We_nQ zF(s0nG&%v58$D;sr5R@r&cW6M|H!3gW}@6?mN=eJ@?bie=xPK$r7AI{>usd36K52o zesCfI^v9NB$Dxcg?u;oGNV_OiSCvBlCJ17V$J7;U(I00K5rKPW`jpv@8-3~}q+e1> zFiezxBhA)O94qRKKLW|$fiy^-!j@nh)rMbtd`ZDe)lGKj(3SMqEFIw_504^Rx(g?K z&=qB1ZI*UAl{uxTtO}HE!LB?JM1qOyph~qmJ37XroXZL1K<1`9Rt}!lQ%t{}+&BAH zH8<_OONn+9!fl!x*~y6Fd@N9!Npqe^a=sx992es#DwFD!;1yW=!ncLJ<99ViE@{21~XZKHoH`4v*lJaTQt-KrqJyb zV$;851D0r_HT>Gy98adpO0A?we$+{za=#gO&l=4`?f=&RfK7X$+wvmVv7iek5;6O_gGJJ3gJNR7WMpx@(KY=zDSgi3FClJz8 z-u}kJ+uOoN1Rd2#NqRo^iM{K3Vm{}YNbEkw7~~Bkj3#c-YrU_=9>qav6vcT(@gILT z)f49N1fqY#Qi#)Xes%dl9MxgBbpb9}#JI~7L(FcY^*HW~8BX^fSLyo&4srZ=5X*5;ybR`O)5v%^ zYt-U=t^=i_q@1)319X+t>jwsm1SJ%0tk>{0J#~wXloxI6S7GebYv(6;sQ4PeolnQD zh)sVBxnRm*<{eE1+)c5OhiK9*+t1|es2X{hlMLw-AfbZ0GDPXT8?nJQ*_KHJyLy}> zM{-YDDT2C9i0iZ!VZ6$@^nj`PR39{ryz5urK8=SG4H3kAPWJ@ja@+fRed`M-Nb2E4 zN@L7oS3>BcZ7U`+-8+aFW)}}>cM=GXK3TqP#)|$8RxVZAr! zBd5tK(B3VbL14eQQIT{PvMT8GiuM?PvzjR@`a^c+2mKq2gd=Yt0-(jlrfdWPr9>tK&o`Cv3>_p`w z|4*;pxv$*VnJ_uJhn3X{q%mI=QX~tB-BtsEii`-YBjf zBt`dPpXRH?A-3`GQPTVzOy>0GW|S;vmniYLp9+0}7@_{QDR$rW#`?KV73lj0Zkn_z zA2*rS`=opeX~IA}e}y)7HEofvD-OLm*4hfrgkQjM&mEqKzh(BKee^rs=D=`Hd`i^Q z9|K6q>-h4j%mga{s~^2(Pe?lu8IM`=O2~%!?EC9$UBnZh`plP8%eBLRm_i*)7O-LV zRVtH;61!9pDziB1m6gk!8c0A|a^%_Y+1`*#z98gpd69R{&KN;q2b)YnUp)#6HWP1Fwr16EN->p$| zoeFU{&dPOQ5(%@+L1GmTB}rLa4~;q{%?Vz~-qjxDC%%mz(92|dUp0Uk_jT88wn%pJlfD^|(lv9aJ0|yYI&APlwpVk*Gvxf= zAQe2iql2)`7(B*#rsMtXee^*c&barMTG8>CCiqOwRbm?WyvjiBz(xTWq*cqCNqu0D zIEY4dA6{u*z54BNKOP|QW;o!Q+)y;1*oxaxPdm`w7>kl6eS}?1>?zymE9R zrlJ`i^;A-_x7>=WezOVUuw3rsMdj7VV#8Aka6lPXu?WZ}V8EovebvJ9^X)}vs|&64 zn#F5EY6?9P{0Drpv`B0=&gue}r<;*>&ze`$6GNkX5?Se9@g+g&h<~s8z!Ui=K)w{b z*u$mqXSg2{fZ<{pTTcdlb_3?vj8kM;p-@1A{Zdh@fSBT6yX zVvr5vTe#YWqJ^E7RdI8p5hDI&Y9Np(BW}xJK**<7S&3rp?_-sT_>laHgs(K;+}{Y} zTlaAVk(pL>BBUd$=&eyiyB42*@EM~)!&@w$i+wC0xuq1fQ`vUCeF)^13U!OGNwQD+ zC>)bT%XZyEIea{RXU#P@ z;_%y=jM@4p2O^_`YSXbeZDykvD}YkiFV}H3cqweTX(OA%XCYnCt_w(1c5jUr$p!=j z0C_Wx#H^d2mHtGrRAM^kzh-uOV$BV%u$cYhBCBWm4nB&X4DkoiXbAv{bfN)l;D;fD z>K^&3m!Uf{#H%0eK1#mQ_(3H9J-_x-h#-@NIC|rUc8x9&c`Ul()&92wlx%CMd2Vl# zZ2r05+{P{7y9hch+-#nDVD24BY}YH5lkC!N16;5>ISL92#b+IqGATKx20H;!@-{ zvv!rk>>3)0fylps9nI$v=8%PyfKzB$1@<$#{l?k0((a{9RaLN1l%B#X3w#RNR8)KC)RqZAAP8$VZ0U; zOhX;3J!gJ*)q7r`7+2`6#XL8iGN+r#qD}IZ<9)OoVW>OZCtStd0)i_4yXzM?3KaZF z-QhSz=U)i!G!VIzaz8rIj;A(GHEmR>Si>@v&qHHxIQ>7E7ct?~;6`$pWFyMT$cWUpGR2T1C}So`2{?yfOV+pYGQuCTv=NF`U9 zb%&io2zH6jR!H&jGJqK{twXKt8HIkrYl(3{knX>m(QHXM{s9&XsaaihqZ5~Er!MA~ zK=-uO>v@%U30_)0sp4;O()#+lGKm)S_S;_lVGn`E=h!=I$&<7-)va3wN+)0NuguL` z{@y5;SQ@EpO4|3!*E^LO8)v7dj4VJnjZ-)RPyAi0u7&ymqQ!D-yRzEuXV7ul2AeK0 znBr1^9g#bL6m6O)M)F9LY7#tootU%;RIA?gtE%K8J#Cvv5!JG$f8t8dno>+u8^<@T zj*5&5JIWApK*y0d)x;NC`=03}O5lsbdh#X3_}O?%MeF%2W5gz|6L!`I^Mp@iSGtJ9 zs<~A5v@*-^EbRsOf-ji1HiNY*MtC80mu!ygFjqEbPrt1KGu{vwtL-RaRiG#BkHK?~ z1uvHMsB*^i_f%%4kHx~v=|4C>++Bndap*9L_4tS2XpnV%T5uVWux%zf|8P=_w6X3t zttf|?_BOa~JL6dsmOb$yuk=^k*SSivDtc=>#UFw4-x z@E7%leQ4DxYWL-LiRcKbU1Y1$i{3ls0xaY~K}hnDc<`rURIqU-gG++*rw9TC z;;SJW%7XXNOUpx7L*xVsyA{pbC2OwVqar}-@fSeNCxMbf1{n&op;_OLW(Wt7z@SG- zEQrD0$1AriIlg@B@GN1t+s-5tYMh?*nx^9Hr#Z#!XeGYK(bt;7AsAVR+d;TyTo_sj zz!s6Hi_#j5p%7-Klf6+Akx7)i%t3w?EiE=J-Gku10wldvv%Kt4&)+*t^XC(4NSwWR zHPx33q6)CrR-cx(#|>~9n2Ug!>q26<+i&0DvrLokvT*O>3WeN8{$6-D$fbP9)A%$y z0@t2!o!2vQj}}Q_`l}+1pMVXkNjA z>Sp`h0_19zqWj0|!EWdiYyS-Xr#25u6lQBP(5}rSoY2SuRJ&IQnH0+blynIoN)~k@ zv(5<=1vES?Io8W4P;L#(@HM57MvU3#I6N7J)9OvrS{|{LUylZ8P3VchuX@nEZg;Jv zRAA%@f!(h^AQePTgyYH4lc;)`mJoJ@%3aBEJN=pnihT^r8W9;oSTY>=BB^SZi;2%r zFp*LZiTR4Qw?tX^X3UE&0G6kU9Hop{t_0Ubyq74N5%Hr}&`(uZbY0RYcv>i85VT)6 z5s&OURq=&z#GWAs_jA^>v+UAenOd*~cVgR9oORSEK)9w^b_vgS((NjgH%!O-qd=Hv z^f+=!0RGj+5J->owF+UG)a0!ycIOd5yVHbCa9AAMS?t@-Dj>_p5@uSv(IdL)(XqQ- zKG3dy7mbkRB7d^JMPDXWY^;eEPfAv9`~c?(uhTdX(n?S<0$81rp25o(wy`|w#fzG* zgmQDtJ#-@64qavtaOzVH>X=#dJsD=Bf13RMgf-*1Ukn3Bfy(9c`#TXjd|W~h`F13D z`6a6Y_|x%;mn%6gc?9-skfs^MI$lDa?9(R31^zb!$=t`cKvFnC6w|ioK{>YA`O5X5*Hr5EaegK8Yx$gksQ(29%$MC{v7fYSGG zv94`316keO#z{_jD8Ku;E2-CgG0*J~gW2s*lCGXD0zr<7#OSTB;`{8&*f=mcJTe997f1~PJCv7j@$#b1)5?7ORavmXwDJgHH%APvnxsI< zBe-;u^Wghx=je1?BV3lI;s{=nPAzmDi?lZ8pG$M^oh6V1#b)?1Qu3_?o-xVEb25xFAh=b zqUJjcw)q|>$L-cK2OtKn34p@=PR>L-`J`zZ+Gw6-GP-TsUGM1Q9=zJdsLj)LQiJ7==hq>4YmJ3gVY14aM7pP z_icC4%pZMwsz~G9T@* z_NIzqEe@-*&vfos8UuPv{Y{qMaT|KI7A`U5PVDo{Afnb(_QV<{tBE(0x1VWOf(3-b z4vqECDyW=m&z@_1e)-B$%u3EQz*n3jD$WF`Et646Wdw^_Ybd&uMjnAKy4RcK zN+}sjQk3&ph7LpF3QV#QRl}v48FkXT?BXx@yaLCK4Oa8Q>r1_Ef#h%|s>>8!*^rSi zJX~KIszlPlvDdDer$gQMdR`TyL?LzSDEdu$;dAlsg6i=DBvs=!Z2*SfYj({#u8k*- z*?)BDX1}4~f1JelTrwe&rbGb%j0h%krHxHUbbqohiAi@vB#3rzy*4KWdxI-jyx4Z9 z8>H;NZPi2G%=bZ-WHtD7z7*Y9{$Tm{9Yzc+Mlm~oRv&E7FR$lS1^4;;ptNwbmY9LW{DJqs*YZ%Eh3f> zmjQdC$|Qq6GJL>sCH66ksd-Qv2TvD-hvKQX(T9mZ&%yi$Jp{nymKSus#GYM*u4;%= z!l+{7BK_8zAgi%AU6VVGSSqUp6x=c4e&kR&%pH@6b_+hrsnBR#tVla8RX9c_J)wie zVd-QHWuX+StUGi~*+6xj{(W=@J^g#0<+~RvU$9@+DxuZF(ewt!=hp(>o2>=QroLJJ zCoxVd^}4GCffu1_K9y(^&e)FXTUxCL)M(v6E{8!wg0gSXpG&gDgXiG95{?uqWIC+E z@-?E+3oq@zCNhQ(zY3l=*zvBFceq{tn|R3*yYlnRZe*kPw%&3V5OopjeynY*5K@vbVzFE+|d+7cnyengA)V6@ra$OBoQ*hA4s_pXek$hDZ4SMr&ZD z{X?gCOjCOEsb#obVBBg$yZQA#0BZaFEO%y4wq`1zVrt|BuvkBk)8{4i9)3)HlK3Z< z>~C@dIo=;oSee#>)m#Vi`N1L$5El^}0~-#d;>*hnf@RVy5 z-N6*YP%dLs0GP6xOY!z|Er$Px{1M67h9}cICYx6$8*tF+9fvs<<0uL;3MwknUyw%@ zAjNxUC!Rt~PL_tz$}H*e?j4`1s;Yo9Mp-j*dibM@S)fjzQPkz2sqJ7&VQ85#%>#@D z%Y}`+n*KvVSPN%e znAIzor0Y`SrY=^%@&A?ZNWj_qSEp`6DEzwTEZrd-?3+sSv!syTSA9>6zAv#THAScIiAWWaP z`{h#D2hU$;+L@`nN_iv{?~gKG3q05-Yh#wLx8D#=XzMCk)07mHQDN9rt!!Xc$22;P z+}Mzc-P8K}tEq(%hXe2*j@@`VG9>7fAGp)Yuk>dL?2_p!>CI~^$zj>R_^r`V&2;`& ztKsxh%W?o(*4SU~^(0Tw!4y%1zN^*k`gF@_sUwI-T>Mvu;M?{RTco*z^tqKQIHXr< zvRpIK{4-I-3g;Y;sA#&VlFBDew4JF+jjoU~-|b$`An#Xm1g3dbj*gDgjm{R=8KM16 zE*rDiY7B?~kaXo`mHMzMfczWMt@L+0h=_Hm_U|=#$AGI>WiCGrK;iTn-WqN0?y73x zXQRPhGDw3SsZU&>`T;I^Ij|uiHm{T;GcE0D~;Q^!-QEI`I9wc2K z1iHPQwlB1@Mao#-{@EV;A>rC2IPB|F>S5`4p6aNl%Zhl;KL7#4v05+EfT&tn{Y%+* z#klajg98ma+2h;Isw&MX=kGV6j|@-~_z$AA7INd<}EA5Q(;0F90V zTdoj}z}+6yy%@N$Sp+g^9RE(g3OWb4K(-@0Z%hAu8)|w0hUR};(|=I0>_ogW0&H83 z*@nX;juSMz5Z5oR@BZ^={oDn#U+L-~*yrB|O&j!Ywu1u!?M2!j!6mO=v_IUjZ`ixT zEf#qWVC#-569ki`zW{Wb7te-P|L&s%2;yEmE=cjr5Mi&l*v1$V*)C9H|58rb(-nf*%7y%`4&Mr~375#syD4?w`o&n$ff2wV6=??;N zW1u7?g$ReC8X3_n7Rt)X79VmM)cd}OJUTjZTIq?5le__nB=ORv03D=$;A1TnKC9Y4 zXp^UJF96GY#yC1YPH=x2_W%Y6N*ekx02ArZI^f*e%+k_w;O;Hp$TE%&0cYc|?^)S5 zWGjUZ+gJRnYg%wFuw38Ch?GgS{W+W5vlTeibaV~wH~J%#w;@|e1L=DtC2IO0Z+y?| zts*46_>~@^^E9|+sO1BWX$}*kIp!c-fCG)eIJ$)VEC!RD$o3G!`V8>*OMt=Zz)y}` zGl0fQe*Qy`7tL2S*VA(JYd_T9mj&oT66j*b#KK^@4M_Uz`RqA(5#X^>lL@f@kRur> z0qDanz*(KiFT)=%-3^>L0=r+T%<(T7gT(o4UaTb<-U4ayT2!D9A46+{8GmHSdxYR~ zyKh{dq_y!_DaqDa;T&^mF*r|Y{AYdno?OQwnQc+2QDOOQto-e88szPK^C?L|JK)Gb z%zHoZSvRR5;s-vu7y-Q3?xiKu&7B>LBK53i0Y%>E={@90aKcPwRNWhFKskRms>i%i z=~XH)PV*`wd2caQVWb@4>h2yE8yh=OymI&Bi^@h7GqE65(66T6!wmB9M^hGnmmD1% zTlg1WtIe7HjanhRoQkg^`*s3FXzjH!5+9)aEkeVZrLh3$%=GvON>iz9bg?&=axC~z zd?bXJBWO1nBH?q+NGBt(wmVZ}W@>6WuvnMcO!O9D*YY9AeXo8!*agr95Zfu$Le@Hh zkd{xk#;@YZ9vqNwcvc70olR>dOeny;y)H?}R?4P@LJ<93SvJhc_Q)gBXOA8Ue}=yc zfG|yEj$?f_J>gi~z?-`u2$b-%R5v_{MI#KLQiTGl`RQ#3wr|&};Yi1HW5Sl8#?vV|FWv?Ii{jiMZpi9QlnL5S}wYxIUG~ojX)v zh>rhW>)lozrl*I8cqJPDWOZFLrLNke*&tb~z)l!>T!3e%)x6nYAYyRvKHH+KlFnjd zQXhUZ&K)#dA%d{awa>dR_$PD#PA^y;gt=S=@Q|CQ>eIQjqhBOh5v=!qrPUZVuWAOg z=_?h&|I!>NnoiG7HISDB&4bO8);n4E;Ke;4zRB!fu$+Qz3(+7VqYI$=inESjzc>q zW|jnjI<==@^l4U>LE)bv<|+dM%UF}qR|6zu1w2Af)~;_I%a1iX==zs0m37sUChUcBs^uj914L3EfLUG=-cb4c#D8v-Y9owDegee_a~ zU39z3=?uB=H{22=C?o!dk*l|GKPz_zKEJ&W`X*>frjkHj@@TmUG??ZEux3M~vp?)s^$XRe=gDfZbJ>Quwx4 zkZB{98lAv`#40lm75);3uOxtxZS6Ox0J`G@x*LA?CA}B z)pe+ZNKQ-0#KT3e$qoADjFI>GyWJTUnTPKe)*o|N;0OCxL7=B{G-3C9xUmrP*vACo z_~rft2D7fZxER0AG9x22*YnfUTV*3V(`7fhzy!laCo`Zdxn0q_XS0JtT=|NsPEC>YU-YZy3*mWJ?aOW5cJfc0 z`iT|L>1jQA2YArixLZ9a(~=?^@NlbUVNh$M)wmif)|JwJyZ&Mk0G3wfdkfEY)>;F0 z3eJT!^Ym;i$qKKtn+gNs_7K@{Y{6GGbM=z59oNR!8IEltzDH3em?YfBm@FFEnGFL& zKNn!N`BO$7MwjJ_*X5&RIh0pGt+mJ@=$KGWhTw7fYYwvGU0ALYHjGi6nYFQAT|jNBiLpuvlLd5v0grlmPvQ z`c0c60t4fI`@{X=o@0QR__?0%=c6?K<)6AHl`M^AMYz4t}C4`50{&T z{*l6J{}Ht~Gee|fzfgjeN!Mubwu#AiLu^r*{tl?>rZ4Neh?S9_yB7-Pp7^bQ)D2sO z#)Ut|xb@pIe+xis$^wpv?$$P*U4hkhl5TGWFc4LyDsT)czAcTF>+Rz*lkEh6RIxO6C5i|K002RRGhaLcJyZ9Kd5F3|fgf;4r|T9e8Wo?ctyz`` z=j3>^0+pzor z6+87=TV069VS9PjA3xS|%T8yYu@X9RAA z`%XZfXNsiwLO7*2AVT$XaHhtE+2%vJ%A|2GE)I3Pj&g*>H~+;Yy~R zi5;{g9cRUk0c=wIRQ#?pivLL=j3VL2W?*0ls-7MZ5T<_t;Azy9A_SbNmLy*kMHrMH zn4IM7H9V}I)CRdU1ksG&o{HHo3QidkxF0M~r7C=vh?-x`9@c&yDQ$WK$(p9j@1}&N zW1+aC7d%Syi*G8jJZ3c&&}I;BZm-Pq;^I+ey*_Toa3u0XzQ z%_J3;cJf+mY~Nw7{>%B;Ti;<|H>MRPCUOVM2>)`Dt=6B`M=9*jsbl~A%z@WkVs2)4 z{JFx*Ta6oSYO8NY|9Fqh0zNWv-{Y+v$7TjYw-M{^^HN8kcF`&;FexsRU%36)Zf7g+Ud{F)>;}MjeK`Jy z!Hi0&?+;M}4p9Ms2NuA$CzEpD)w_h#w&E4%ouvUhI!h0%8%HWrvjNJh$Y1?{eR|c++|a-+$k|v@`%-(Cn77FGPz4*<<^U&x8Q!i(a96^ZND116(sHw4FZEsgkkR2Jup zPuf%D!l-u#eEnUy7-$*qslJmY;GXv6o$0IHAmiVD*uh?!4gTi`G)EJsw2l_%4-HeyP=g8uE9_wjd@ZmHXDDaNYMjw^sCu*djj z8p?agX3r^!C?=G}73Lt4(?@8S^v^d9abrVN`VQ&Ua@HX&#PfY-_V%mjLlBWs;2N zU9WZi;|G9^l>*B&@I0^0r zb1Z>%l*Q*H>5ZV!y;>ZoGBTnTG6OPxSG2n(^kieC$TxztGeVS}=j-ac$6^+Y?s-=_ zIX)GkUIMDQxu}9GvZ=gvh#M_PD%)O`%xT426PojIyP^E(c^|j`QB+Tzu@>I8=^J~% zM{Szv*s6F^9}Hs3UxR~%lO%Gxg<>dYSXvJMPM4()GfJ1b`t07`5*a27hxjL0r2p7E~G)i3{>J>?19 zJo&(Q?t>$#OY&Xfwsn};foeXckAet@c$WdMKs+MUuiHA|z_p%KJ@o!P=v|&hL1vS} zxXO{sH)LAijbA=I9RGJ5F$Oahiz`JKPFQ!h#j>wSCJK>aScxD(TKwhW?eOAf(4#Oa z)b~fwtwVExXe|!Wl?W_KMDw5?$*x}!q?G6d?qKz3Dd-PdMOEB)EcEY@%q^qYl=+pz z&A~avAg~GL(un_gjllbelRWk4j=T1Ui-+eDU~I+EBt@kmooJpFrJ}>8~9PVR=QT zuV5un#AtNBkC@Jg7z!+DuR6!uaE*5@^29V&^0Qn8NY@MYA~-@Y3cTb#9#_d}+fbk# z9nT;53mrak(FW5I;3jR3^zTOeyHG`4jHu?ke48ck9Bl!^TNkAc)Ms%G@`I zFX)Lrw2&perMnJtxcjvsnbPz4ph^V3->L8S5AL5xD5PwuO_S%NiwyTHBt978D%>@uftVu-7{+d!l; zX_|0_qO;KK%vl_-1ll3SSn3v9PMP~+B(ZWw&XzU;nUS;JEhmYfuL}1fIFv}-_zGzx zuoxvIDt-L%q|IL|j7~gYkir$5S;oQ=Vk7NDt4iwD70Hv|+fU8l9-U67-k*Za_dW>w z-X8y~z<5ZCxjB%Qp4TXn1jZ{iFtZjXoeP`z=rs^+_}qF{jl$_ovWA4ykQaI-O!`o8+Q!qUkUbjluhdaH@l`L zX#A+J0+*^VDJxVayW&~Tqq*;`gG<;ua+eY~_*quF#>+~Q=U#xBW2hYeSvujr{k;@y z#-NO;#Cs=1BU_u&nX;=$s@FLJnGF7_LCj#^z3}>5C|6IRImHpfw4&Zos-^uCLr6Ez ziXdRju!40VLvDF(p^`DxgbbRzKR*DlKpo3D&c(xEKm#D&!t7%>uZ1_&fu-Zi)UGjHh3BH1dyFsZ{x<| zp~@%C5EOyuC2Kph*wXqv68&<#*ZPZF5yz2$6MuzYP7@+W zX}SwJ4Z7DUTEfQB&*(`>U#?2nSI3(R#OgXzu||om-?eO{7USD{cD5ao0<5(gk%mUK z-W-uIm@=`|m5W(;r~@bnl?Lu!L~?RtzW-+GJini#Iv zj`}>}FZD$hx9-hV3aeQ#y)`vNPcc_`SVOs`eQ}RE9e1P0s8A{;Z)QdcQT-tjMfL~i zQWgZZEcb{Mw_@!lVz$Cw4CKdwFY?Nna#qfdyqG1qFj@^!AD-pT0jy%T!%uI#hVIs5+Z`|!Tr_s+Lu{bpt*Gi%M7`L{)`p_B@~ zWtu5y&XC;*>?RV?Hu{poNH--73bzo{+gTxPy+3k2`-LnmCHt)``8h!hl=*zjf?#N! z2ba6Hh6;>gscq8E5+%JDuc<*A1y5wtK|>5q%P)y4M4T1MXZhvZ&1&mph9)}N(_Kbg z@Qpgj57M-<@6U8Stcc$&6!Z>Lx8Y*fu@_;XIc4yf$B6#kq;Pikl>&FlfEA$*Nh0z; zg41v}UR9eD=MZqVcsl#lHLoZPC!@?uec8$@@;#0&Ob0~r;n!;p#+?(nngn^F)_GLP=)Nuui5tElX=Szl15dPlD_Y?kC4WYA57FHE$Zoe$9f_?6a97 zvY*_7sbyY@4L5`=ZVj<(na-55&4PP>ywrsEa)#pga+`fP$tF_OGjqgl87-SGd2_+C z6ev;$B^Jpb8m2RMUdaih8cKA;&vfcs~BdoOqMkz z(>2Uicxn5GBQ`J?nB|3bhb=r5Qy;2i*|-a7dZ#i*l+HYX&4*jhtVnqYT;L^sOW%qI zsaD5UAO}@hs+HLaUYz$dp6PbKDzMneW91Y_XTiKR7-D*N6U$QtAH^Dev8!%0%X5Fk z5T?hcu5st)xS2T5p$@MTNzZtb!u3Q9eSV;a0jt2Kd~RofeS1c=d`I1N_0c`wy^dbH448r<&KSc_Gh6 ze>|VdxmTqxJSV~$upRv)8*yS0VbC7gITqFSUKv0pWEB`?H0>07A=X7h*7w1W4viqQRa7VxiLom7cS1tzmIk&H9G z%f7f?yzLA49%4^4B`&cIF(BMAJ40*6*46wpleRCR98bx$wWPKhHaJmw~BqD)uED&LfXHJ7xx!X+e)v?G1l6CryOptMq^$n+ZDJ9`Ia)%iA6!w~?=|rV)Msd5Se~Br4OK zD6lhDP<&rHb*$LT_}1%2s`~2?2>#Zq4u0eqfL>0elIujfT3gCu-ceW5$(yD6&N2JU zX(^u=mMf$7pr%OeCYiES4*wR#Zo44%W33VEoKjuvk4(W(LBypGne_`6cno*h45z%l zlGl0~dE0PJseHJMdyT$drTl!%=azg(o$pgHI1F=*WgL=U`bxu*O%Lpsjh3j$kS+_Q z6kCVw+n#gDq}eg((PFI~qtc zaJ!M{%QAB$S{*`MeI$$W0^gPCSVO4{V10%)`5bYBZNItrkG%vacBAVIWSyX;xiS>Stj4VrC}&A-0qf%xO!_x zN>6a6%NFJ^Zjo9@VNh?|n!xHUXaFbH@ORQ;xr$;*aNFLtSGtKX(i*>W3^Q6iCD`e@ z%ph~xDBgQP*tj}CmD(+Z}R*1uaqDgu5- zca}sqpKV_XiJM~GwJ#->kKo0`O1oZ}Xs_>5LkCyH}n6OanwxJZpm|?S`Es1xM8R5?eN0`?S<-TSL!g>51|I*Zagc8#gDodFFYW zvC@xaw}#@2&sUJKu%Yc8>YopjZ5!yctb=LyZCj=MzUur+*`TVQK7M9e_dM94pyQuT zJa<(9#d}8O%#AT8i!U)x45Wg3zR9jBovRM0-Se z?0OERV{vZQ!8SM0Lp3vzh~yrMf=Fm{(G{QEA`<-^Jk56_iax%DjkcUI**|0|`){}_ zdB3AwRlaYl+)<|d^TQD=Q_8iaNI&^;vs3YI^mjvg7&s!oCcmwte;zvgi>)nCQeXL> z-aC@RXP;epk9X&S#Oeg29)fOSQlx}bz0wOW87UY2%(+;}$)Bb#&ii0AR!cC(iFP#} znc~6e$a-PU8NP1J2$cMl69qWJPIpXu9pXdt-l#jm<3i8Hy?V{e;&)omD0yF!u|Kz? zeV$^8|M^3%0;l~~fC#ne9KCa>)1JEju%v-oKH9_;boc@K? z)VLh+xHQRbMDnR_;L`Y_$8l}R4}hi+y&z_ed6P*LPfI?Mx*8^gAs-kMNLQ;!6>|RY zq}adF*L-K`c8`!kc3mVTs~~w?X$%7N1kNFs704gloxTa{PW$p{uI9vy*b`6(r-`ce z=UhSR#$h;P;)plt9Vu{r5rbs|vNtlhfBJjmLQtcKN1dOpF8mpg^%#f&gQ?$jxNIlF zx^_Di+}#3YJ1*GmgHz=T@!d|px$vZfGPHTc>c=?u+I6G{usT{;t}3Y{o!k4cc_cK` zN7FLv62Q4#7W>7`cCcL1hwnn$iq0Q&)- zs%|>0rhwJwXx&?*9n*O8T6^~+-Y>6U2pjO8I6F;?JLW|DY_@f$?8rF+;6qdZ*9}0i zykz}D06>tx0vTgzS7Z#*uM@r1{U4S-aBG9_Sn~ka(wX?W8QZO{yKEe>G%Yv<6F^zc zi+lj=kX*t)I&lD>pAr--iTQ|Re$Y)V(`d@5U|EglDBcxucQ2C{CZ?6P2xk5m+c5j1 z1fi&yUxZp}4id${ z9aHP(&U{VkwlrsWm#>9ELU8Ys8nHbj@nUQ6Tr& z$sXue%?9|LhqC`SZoR5(dy)K4^=9>c-qE}}5bHkz1TKshssYaDh#wd=K?HNq+|M7! z$RPkyFgTsi312z}C~Buiz)42yD|e@)|A)=4yX~xo#pl(+Bhltuwre&>d4pdypkTCp zIdU}dli61RF{=iJOr=2h-r-??aZz$+nB6oWPxEU~>d&{T^L3v|iAw7`7%?)qa~%3G zdA6UmuyiH_#0i=`2O!F(SKx|1a1cJ-*%XM>txD(YAM9dHu( z=E>z3K-e=NS6qZ!|00icnbV^bi>7dm&h~x5%xBX2v*xIwSS_!Vk>`t`S=rND%a3YB z#LTM|^l{N2ya%on2IuZJ02#IXphdI{0h|S(8#_XnmXW*I-cm<{?+@=lI%gjOn7mB@ z`KU6l>AuN$oeZ+wj;JO4C}082eoUYSdc|%G)-RGg*luh`!dUSq=YZ!CChvG;qya4Q{J{*r>0jm3es+P+kn% zy<$fQN&{j$5Zf;fZf^aYG?um{AmofWs|tw88Y&^$P5X9TgZWQqBC#P&km2DBCUh2C zW=9D8TKOh4n)9=>QyZYObq8N3i<;yY(I$1#`_HyAZ~~g1l`h+}ZpjIP|B;`qkOznp zvEtKAx;qNc$3uuS2aZ#EE;#cybFJ~dB=IRDSuo8=%F3fWIu4nz{k5M3XF#xAislVZ zuRPc^!B7_YCh* z8%fyVY#;yTbVV^;>%{`m zU0ATJKR_yZMG}tt8q3B?lklmaRQz(6fy@dZEJOSEtT<0U9X*;~$kw8&N zlz};>t+19YO*R_4wHij(d+a!2(yeJD>jZIy3`JjWK9EXP&niZOVHzJSi`F?;9Z2E zJ-`8x0k8I2jiQ#kwhAEi!najAxF|F!5Qm$;x)^Yz{(gQ5Ev*QAcAtW*fIdq>hY!4m zUir+8@p{g2ujA06;omadD?RmTl&`lv^S?u}GdG*R?)a{#S zeGVr*4OYVj^t%gsZKqt8u(ewa@(Zs)FUh7&#^+DcY9@29n>hg!&vbq~=3N`_ftx2Ul4eFTisHNdesVE_QZK+{zNcYLaqZhySi%wZE zs@zyZ4a!M|YuJw|RzZl{wVk{JQA~o}hR1x0^c>*FeSLaSrpD67D zvg95XqkjVri9ZAf?td&KyZ_l?YEk(-<^9_;!M@h&Ynx?!-W&2Ua(Wd;ZOYV?73>g(%xS^DurKuX%>F&$6*@nliv zvI6;#CHF{Q_D9md`Q~-AI#XiFHq>Yh3nne`ssl}7cE0^mnJp(QtyjDqjhTavZ_U;@ zGT(TvuH6KZ3d4@EYdvP?Qe@V;-jxzq(sP09370iD4muw~PY-ZOYNP@p@c^xdw3Mq(h= zbe+^E!6SOhoLn0gTi9k7r}$Qb*oWG`C8XQfhrvJOmyjdciPfQTr=6pV8&Vf}72@YK zjE+-Eci}%^#n={$6K$9yvNziQlCJ84*p&T6>V6NzscTtrZq)qSCAcP_BQUp@M?*19 z3F%j2(aZ@D(&JP#&0T~}qtMsXR68;ZVemoJA`?O=Ir8016-XMj33ZL$1wo(J?>|_D zLAxV%ACG_>`=z{k$Kq6M!Y(h}5#$&Q0b$BK#IjBlz&eU4>R^D!asnObDf;9&-z z;A^Dg81lyq{pS%IGudqopeMIb^Zt!VfuWAsSJNRhSmn(Z@MD*jgE!BMPGt;Inz=p1 z4y8y0u#7IEK9yMUdnWk)P_^ppa2e{1R;dws`LNG-^0^qSkX;^daNH|wv2v!IdhKK7h-hv~wP zDXGG!v(D#E-k7+nwZ2)t^u}XqM1Bhm!Ni;$_4pj%wh?@irYSFX+mE4sX>eBcXG}}bAE?2*silfJDZd{-K)t*tBm7*KXD+xR?IgZ4v>add1o!GUmr?*s@|ug| zx{6`2=3U_oCq1P`!iosMVjun@2hUf(VCT1a7pkv#$XLlhgi!*=O?DhxiU-h}Y!17y zN-qUWOY^>@++I{MOL(Hge3rhLessJFm>iY9)65_Z)*1<0 z*5SU@ddwi)^aSU%Qk6*G!TWTXH<1-`)}~)$Ou~j~nPpV9v4rYN$DQHq5mMCJ#%M_c zPPxk|HTMK!bDSvl-$4yU;#nPrbegCV=_gWeV|;RjBWcI`oxoYt@N<`fdbiw$Bz699 z8R&=TWxC;VY((K)fbZa-4Rb<3XU?EL{>RHAW5u!TaH=K9W4t$d%1hcbF|j1kHjh*1 z@JED-=!6P<5qpyy0^-(Ci(=!wRP~)f6q|YP;4`xUetydSP52Y^kcl{NxyavQoZQ2{y z%KLpd0PZ`7-CCWDKhj7LqV;Lj?i%HIPE-GJ)HrZ;R71@9=o@RZkWqPdu(TehyfM?L z*QmQb3blbkuj_rz^^EnjzfFV=6_+#}? z^zLzow?3KUbZ_!H(t$Z}O4!aEOguLjF7wFtVoMci3vlA@*R?01=#yDB6^U1NwSCI! zS>WDBDN4%1#S}(5M@%kf)q2TR_7a$%zOr=#pazZslB`6${Wf#sXm!9X*W4B`IS;q$#Y9; z`(Ag0yM%r+h?tV2m11o!@+5($lFa5_!1O((gBj19Q;TAnP?0lzs!9?Lc=DrG7ClFF z>a&Q~&Ej_SWouZ`N@#u32^6F*4>+1sHYmN?Gd2vKrqs*HiV)GtLr&PHpXTqp#|*q! z{_M8ciIMb$U-aEtdO7gb!`s7jp?jqk#;)Iyrh#+F6;3o{LvaT{X%)|Kl6z>Lh(R`n zG=&$!d6wc^W1B5V4r=8ditZ(hk6-@g8h@GcsOx;La06E>=k zgm?_q3&IXSu3(-%^u{{+byDI)avVB)zD+8rBd8DZoRr~=!C)k%ro1W(x0W1v;6_(v zncq&}&c?iF8kz;%B&69|6qA)bx7dtxnJSmhcrUyC@jI6A))>fd_;>`x7#?mZo(`J3!Pb<-~xQ*R=vz$7IN zY~-=rv1>Y()ba-#^b^l&6hF-wHu3n36!ZktZCS7d&8|q|^)f~FR(EaYTFX}Si&ld; z&5QcPvM%m%1&bK2Gxu=G58q~$pKadF?+LCs4@ca`HyCGiC!0L85}q3VqX^c2Z$BLX z%yr*AB+aixe!s<0RrUmkUN&Q%4u&e0997MozICFCzYqS@c8ah5P-*Zz2cA-V=(2HF zd>BYBXzC@175lm&jyl$#8YMV`=VskD-2!^oMEhR>K@A+0mch=ZSAR-aL~{keaZzj{ zjiBHTd)OBmcD}2OKXZYABtRYryoX@CX(^Yk&VU2fLepg|8RQgCSpiIQPIn0V=(;a- zW5w?eVl#N-|0Q6zz z-{nvpZf8w2{Q+l%Q%5b)e}XHY0naP;smaIz0JL}#()Vc;`?GE$qXy%*F){u8h8|!b z&&j`IVdaVFx%@Rn%>KP!l;~Dx-CU(4fPr8Lc*y!oQ!YUHI7KOz`aMBR z8vtAWrdCxU0-g*+wA26ng;Kj(fPxi>J|ZA9|1K;9=mLa8X3hV*DD{G%sEqq|ji5pN zcVRNpi(vo5uM-uFZA4fdb3@hp5GMvvmO9mxpxV=jb+b}y8ts8%-it-)!OyKPp(YOk z(%sJ-NLF?9JElZ?8~ZPA-a~ zP%WgXk9dJobZLBLWu?&abdpDt?nag88cxE0W^61?Q8HE8N&VmnoSqji9PGuRH+Nt?Q0A?v`Uy*!Kp-8t z_18Cu$~(#=&yRIC-e)>zUvY8119V|JJz7o==t7&mwGl1vy;F(>Wh2=?N&=A{U3&m( zHSx1tIq<~GKYSiYWty^|xENudr6ukDiZsYpSn00bpKW=y37{9hQY5S%OX3%32f3>< zt9|kgC9LV|f_LSDwQTJBzJAAH8-vbk&dFAQ;=jH+_E%!^D)x$4<(vJEY{|MgZU#5* zee=IKJ3g4M<;CydI@;1J0%i`H-a2+*7lo|pGjX3bf_tZ+<-g^yr<8sD{k6d9d{RuuwIG0DVd7P>HbLSa18Hcalw$XrxT{9eau%xsE4FUL*8J;|2k}bYQ(4Z)D@p;Y#QVkjEd}CtOCBo!?TfhUd6o1%EBfMp^#>^>Kh>v`hH3u&(YJrj z9e?%H`w&qG-)rK(^;{Zpvv&TMslU|>1CD5;|C)0M^;GghBom50%Koj^`w&USA)&t- zCDeT*%!{&LUA^<~0ZRrLXZt&HCkk0odjm A{{R30 diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json index 6f5f5678e..b08396880 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -37,6 +37,9 @@ "parDataCollectionRuleChangeTrackingName": { "value": "ama-ct-default-dcr" }, + "parDataCollectionRuleMDFCSQLName": { + "value": "ama-mdfcsql-default-dcr" + }, "parUserAssignedManagedIdentityName": { "value": "alz-umi-identity" }, @@ -110,6 +113,12 @@ "kind": "None", "notes": "This lock was created by the ALZ Bicep Logging Module." } + }, + "parDataCollectionRuleMDFCSQLLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } } } } diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json index 7b3f7d1b7..78222692a 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -34,6 +34,9 @@ "parDataCollectionRuleChangeTrackingName": { "value": "ama-ct-default-dcr" }, + "parDataCollectionRuleMDFCSQLName": { + "value": "ama-mdfcsql-default-dcr" + }, "parUserAssignedManagedIdentityName": { "value": "alz-umi-identity" }, @@ -104,6 +107,12 @@ "kind": "None", "notes": "This lock was created by the ALZ Bicep Logging Module." } + }, + "parDataCollectionRuleMDFCSQLLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } } } } From c9fab0ab314d5f47bcfeab080b5ad048713417db Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 28 May 2024 22:10:37 -0500 Subject: [PATCH 06/50] Remove legacy solutions --- infra-as-code/bicep/modules/logging/logging.bicep | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index c34fd4492..a14143cda 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -114,30 +114,16 @@ param parLogAnalyticsWorkspaceLock lockType = { } @allowed([ - 'AgentHealthAssessment' 'AntiMalware' - 'ChangeTracking' 'Security' 'SecurityInsights' 'ServiceMap' - 'SQLAdvancedThreatProtection' - 'SQLVulnerabilityAssessment' - 'SQLAssessment' - 'Updates' - 'VMInsights' ]) @sys.description('Solutions that will be added to the Log Analytics Workspace.') param parLogAnalyticsWorkspaceSolutions array = [ - 'AgentHealthAssessment' 'AntiMalware' - 'ChangeTracking' 'Security' 'SecurityInsights' - 'SQLAdvancedThreatProtection' - 'SQLVulnerabilityAssessment' - 'SQLAssessment' - 'Updates' - 'VMInsights' ] @sys.description('''Resource Lock Configuration for Log Analytics Workspace Solutions. From 58aed9c963cce496d7a757771b0fc4458c03ba57 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 28 May 2024 22:13:43 -0500 Subject: [PATCH 07/50] Change DCR default names --- infra-as-code/bicep/modules/logging/logging.bicep | 6 +++--- .../modules/logging/parameters/logging.parameters.all.json | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index a14143cda..8b5930148 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -30,7 +30,7 @@ param parLogAnalyticsWorkspaceName string = 'alz-log-analytics' param parLogAnalyticsWorkspaceLocation string = resourceGroup().location @sys.description('VM Insights Data Collection Rule name for AMA integration.') -param parDataCollectionRuleVMInsightsName string = 'ama-vmi-default-perfAndda-dcr' +param parDataCollectionRuleVMInsightsName string = 'alz-ama-vmi-dcr' @sys.description('''Resource Lock Configuration for VM Insights Data Collection Rule. @@ -44,7 +44,7 @@ param parDataCollectionRuleVMInsightsLock lockType = { } @sys.description('Change Tracking Data Collection Rule name for AMA integration.') -param parDataCollectionRuleChangeTrackingName string = 'ama-ct-default-dcr' +param parDataCollectionRuleChangeTrackingName string = 'alz-ama-ct-dcr' @sys.description('''Resource Lock Configuration for Change Tracking Data Collection Rule. @@ -58,7 +58,7 @@ param parDataCollectionRuleChangeTrackingLock lockType = { } @sys.description('MDFC for SQL Data Collection Rule name for AMA integration.') -param parDataCollectionRuleMDFCSQLName string = 'ama-mdfcsql-default-dcr' +param parDataCollectionRuleMDFCSQLName string = 'alz-ama-mdfcsql-dcr' @sys.description('''Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule. diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json index b08396880..0c95bad53 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -32,13 +32,13 @@ ] }, "parDataCollectionRuleVMInsightsName": { - "value": "ama-vmi-default-perfAndda-dcr" + "value": "alz-ama-vmi-dcr" }, "parDataCollectionRuleChangeTrackingName": { - "value": "ama-ct-default-dcr" + "value": "alz-ama-ct-dcr" }, "parDataCollectionRuleMDFCSQLName": { - "value": "ama-mdfcsql-default-dcr" + "value": "alz-ama-mdfcsql-dcr" }, "parUserAssignedManagedIdentityName": { "value": "alz-umi-identity" From d560bbf7bb49ecffb9f834bad4fed14e29b1b6ef Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 3 Jun 2024 14:28:19 +0000 Subject: [PATCH 08/50] Update Policy Library (automated) --- .../_policyDefinitionsBicepInput.txt | 100 + ...finition_es_Audit-PrivateLinkDnsZones.json | 6 +- ...esses-UnusedResourcesCostOptimization.json | 6 +- .../policy_definition_es_Deny-APIM-TLS.json | 70 + ..._definition_es_Deny-AppGw-Without-Tls.json | 78 + ...ition_es_Deny-AppService-without-BYOC.json | 62 + ...efinition_es_Deny-AzFw-Without-Policy.json | 54 + ...es_Deny-CognitiveServices-NetworkAcls.json | 66 + ...Deny-CognitiveServices-Resource-Kinds.json | 95 + ...ervices-RestrictOutboundNetworkAccess.json | 62 + ...icy_definition_es_Deny-EH-Premium-CMK.json | 60 + .../policy_definition_es_Deny-EH-minTLS.json | 70 + ...ition_es_Deny-LogicApp-Public-Network.json | 66 + ...ition_es_Deny-LogicApps-Without-Https.json | 66 + ..._definition_es_Deny-Service-Endpoints.json | 60 + ...torage-ContainerDeleteRetentionPolicy.json | 74 + ..._definition_es_Deny-Storage-CopyScope.json | 74 + ..._definition_es_Deny-Storage-CorsRules.json | 102 + ..._definition_es_Deny-Storage-LocalUser.json | 62 + ...ion_es_Deny-Storage-NetworkAclsBypass.json | 90 + ...torage-NetworkAclsVirtualNetworkRules.json | 56 + ...Storage-ResourceAccessRulesResourceId.json | 66 + ...y-Storage-ResourceAccessRulesTenantId.json | 60 + ...on_es_Deny-Storage-ServicesEncryption.json | 102 + ...icy_definition_es_Deny-Storage-minTLS.json | 10 +- ...y_definition_es_Deploy-Diagnostics-AA.json | 7 +- ..._definition_es_Deploy-Diagnostics-ACI.json | 7 +- ..._definition_es_Deploy-Diagnostics-ACR.json | 7 +- ...inition_es_Deploy-Diagnostics-APIMgmt.json | 7 +- ...es_Deploy-Diagnostics-AVDScalingPlans.json | 7 +- ...es_Deploy-Diagnostics-AnalysisService.json | 7 +- ...tion_es_Deploy-Diagnostics-ApiForFHIR.json | 7 +- ...Deploy-Diagnostics-ApplicationGateway.json | 7 +- ...inition_es_Deploy-Diagnostics-Bastion.json | 7 +- ...on_es_Deploy-Diagnostics-CDNEndpoints.json | 7 +- ..._Deploy-Diagnostics-CognitiveServices.json | 7 +- ...nition_es_Deploy-Diagnostics-CosmosDB.json | 7 +- ...ion_es_Deploy-Diagnostics-DLAnalytics.json | 7 +- ...eploy-Diagnostics-DataExplorerCluster.json | 7 +- ...ion_es_Deploy-Diagnostics-DataFactory.json | 7 +- ...tion_es_Deploy-Diagnostics-Databricks.json | 7 +- ...on_es_Deploy-Diagnostics-EventGridSub.json | 7 +- ...ploy-Diagnostics-EventGridSystemTopic.json | 7 +- ..._es_Deploy-Diagnostics-EventGridTopic.json | 7 +- ...on_es_Deploy-Diagnostics-ExpressRoute.json | 7 +- ...nition_es_Deploy-Diagnostics-Firewall.json | 7 +- ...ition_es_Deploy-Diagnostics-FrontDoor.json | 7 +- ...nition_es_Deploy-Diagnostics-Function.json | 7 +- ...ition_es_Deploy-Diagnostics-HDInsight.json | 7 +- ...on_es_Deploy-Diagnostics-LoadBalancer.json | 7 +- ...on_es_Deploy-Diagnostics-LogAnalytics.json | 7 +- ...on_es_Deploy-Diagnostics-LogicAppsISE.json | 7 +- ...on_es_Deploy-Diagnostics-MediaService.json | 7 +- ...ion_es_Deploy-Diagnostics-MlWorkspace.json | 7 +- ...efinition_es_Deploy-Diagnostics-MySQL.json | 7 +- ..._definition_es_Deploy-Diagnostics-NIC.json | 7 +- ...loy-Diagnostics-NetworkSecurityGroups.json | 7 +- ...tion_es_Deploy-Diagnostics-PostgreSQL.json | 7 +- ...es_Deploy-Diagnostics-PowerBIEmbedded.json | 7 +- ...tion_es_Deploy-Diagnostics-RedisCache.json | 7 +- ...efinition_es_Deploy-Diagnostics-Relay.json | 7 +- ...es_Deploy-Diagnostics-SQLElasticPools.json | 7 +- ...efinition_es_Deploy-Diagnostics-SQLMI.json | 7 +- ...inition_es_Deploy-Diagnostics-SignalR.json | 7 +- ...Deploy-Diagnostics-TimeSeriesInsights.json | 7 +- ..._es_Deploy-Diagnostics-TrafficManager.json | 7 +- ...y_definition_es_Deploy-Diagnostics-VM.json | 7 +- ...definition_es_Deploy-Diagnostics-VMSS.json | 7 +- ...finition_es_Deploy-Diagnostics-VNetGW.json | 7 +- ...on_es_Deploy-Diagnostics-VWanS2SVPNGW.json | 7 +- ..._es_Deploy-Diagnostics-VirtualNetwork.json | 7 +- ...ion_es_Deploy-Diagnostics-WVDAppGroup.json | 7 +- ...on_es_Deploy-Diagnostics-WVDHostPools.json | 7 +- ...on_es_Deploy-Diagnostics-WVDWorkspace.json | 7 +- ...n_es_Deploy-Diagnostics-WebServerFarm.json | 7 +- ...inition_es_Deploy-Diagnostics-Website.json | 7 +- ...finition_es_Deploy-Diagnostics-iotHub.json | 7 +- ...icy_definition_es_Deploy-LogicApp-TLS.json | 95 + ...s_Deploy-MDFC-Arc-SQL-DCR-Association.json | 8 +- ...s_Deploy-MDFC-Arc-Sql-DefenderSQL-DCR.json | 8 +- ...icy_definition_es_Deploy-MDFC-SQL-AMA.json | 8 +- ...on_es_Deploy-MDFC-SQL-DefenderSQL-DCR.json | 8 +- ...nition_es_Deploy-MDFC-SQL-DefenderSQL.json | 8 +- ...inition_es_Deploy-Private-DNS-Generic.json | 154 ++ ...serAssignedManagedIdentity-VMInsights.json | 7 +- .../policy_definition_es_Modify-NSG.json | 129 + .../policy_definition_es_Modify-UDR.json | 103 + .../_policySetDefinitionsBicepInput.txt | 2230 ++++++++++++++++- ...set_definition_es_Audit-TrustedLaunch.json | 58 + ...ion_es_Audit-TrustedLaunch.parameters.json | 16 + ...efinition_es_Deny-PublicPaaSEndpoints.json | 479 +++- ...s_Deny-PublicPaaSEndpoints.parameters.json | 168 ++ ...on_es_Deploy-Diagnostics-LogAnalytics.json | 7 +- ..._set_definition_es_Deploy-MDFC-Config.json | 8 +- ...nition_es_Deploy-MDFC-Config_20240319.json | 404 +++ ...eploy-MDFC-Config_20240319.parameters.json | 132 + ...nition_es_Deploy-MDFC-DefenderSQL-AMA.json | 8 +- ...efinition_es_Deploy-Private-DNS-Zones.json | 288 ++- ...s_Deploy-Private-DNS-Zones.parameters.json | 121 + ...set_definition_es_Deploy-Sql-Security.json | 8 +- ...ition_es_Deploy-Sql-Security_20240529.json | 135 + ...ploy-Sql-Security_20240529.parameters.json | 36 + ...licy_set_definition_es_Enforce-Backup.json | 134 + ...finition_es_Enforce-Backup.parameters.json | 56 + ..._definition_es_Enforce-EncryptTransit.json | 8 +- ...on_es_Enforce-EncryptTransit_20240509.json | 937 +++++++ ...ce-EncryptTransit_20240509.parameters.json | 304 +++ ..._definition_es_Enforce-Encryption-CMK.json | 286 ++- ..._es_Enforce-Encryption-CMK.parameters.json | 98 + ...definition_es_Enforce-Guardrails-APIM.json | 234 ++ ...es_Enforce-Guardrails-APIM.parameters.json | 79 + ...ion_es_Enforce-Guardrails-AppServices.json | 367 +++ ...rce-Guardrails-AppServices.parameters.json | 135 + ...tion_es_Enforce-Guardrails-Automation.json | 137 + ...orce-Guardrails-Automation.parameters.json | 44 + ..._Enforce-Guardrails-CognitiveServices.json | 118 + ...ardrails-CognitiveServices.parameters.json | 37 + ...inition_es_Enforce-Guardrails-Compute.json | 64 + ...Enforce-Guardrails-Compute.parameters.json | 16 + ...n_es_Enforce-Guardrails-ContainerApps.json | 64 + ...e-Guardrails-ContainerApps.parameters.json | 16 + ..._Enforce-Guardrails-ContainerInstance.json | 43 + ...ardrails-ContainerInstance.parameters.json | 9 + ..._Enforce-Guardrails-ContainerRegistry.json | 249 ++ ...ardrails-ContainerRegistry.parameters.json | 86 + ...nition_es_Enforce-Guardrails-CosmosDb.json | 124 + ...nforce-Guardrails-CosmosDb.parameters.json | 40 + ...on_es_Enforce-Guardrails-DataExplorer.json | 101 + ...ce-Guardrails-DataExplorer.parameters.json | 30 + ...ion_es_Enforce-Guardrails-DataFactory.json | 120 + ...rce-Guardrails-DataFactory.parameters.json | 37 + ...ition_es_Enforce-Guardrails-EventGrid.json | 173 ++ ...force-Guardrails-EventGrid.parameters.json | 58 + ...nition_es_Enforce-Guardrails-EventHub.json | 101 + ...nforce-Guardrails-EventHub.parameters.json | 30 + ...on_es_Enforce-Guardrails-KeyVault-Sup.json | 62 + ...ce-Guardrails-KeyVault-Sup.parameters.json | 16 + ...nition_es_Enforce-Guardrails-KeyVault.json | 537 +++- ...nforce-Guardrails-KeyVault.parameters.json | 186 ++ ...tion_es_Enforce-Guardrails-Kubernetes.json | 326 +++ ...orce-Guardrails-Kubernetes.parameters.json | 114 + ...es_Enforce-Guardrails-MachineLearning.json | 118 + ...Guardrails-MachineLearning.parameters.json | 37 + ...efinition_es_Enforce-Guardrails-MySQL.json | 63 + ...s_Enforce-Guardrails-MySQL.parameters.json | 16 + ...inition_es_Enforce-Guardrails-Network.json | 525 ++++ ...Enforce-Guardrails-Network.parameters.json | 195 ++ ...finition_es_Enforce-Guardrails-OpenAI.json | 139 + ..._Enforce-Guardrails-OpenAI.parameters.json | 44 + ...tion_es_Enforce-Guardrails-PostgreSQL.json | 42 + ...orce-Guardrails-PostgreSQL.parameters.json | 9 + ..._definition_es_Enforce-Guardrails-SQL.json | 106 + ..._es_Enforce-Guardrails-SQL.parameters.json | 33 + ...tion_es_Enforce-Guardrails-ServiceBus.json | 101 + ...orce-Guardrails-ServiceBus.parameters.json | 30 + ...inition_es_Enforce-Guardrails-Storage.json | 463 ++++ ...Enforce-Guardrails-Storage.parameters.json | 165 ++ ...inition_es_Enforce-Guardrails-Synapse.json | 202 ++ ...Enforce-Guardrails-Synapse.parameters.json | 68 + ..._es_Enforce-Guardrails-VirtualDesktop.json | 62 + ...-Guardrails-VirtualDesktop.parameters.json | 16 + 161 files changed, 14355 insertions(+), 262 deletions(-) create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-APIM-TLS.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGw-Without-Tls.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppService-without-BYOC.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AzFw-Without-Policy.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-NetworkAcls.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-Resource-Kinds.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-RestrictOutboundNetworkAccess.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-Premium-CMK.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-LogicApp-Public-Network.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-LogicApps-Without-Https.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Service-Endpoints.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ContainerDeleteRetentionPolicy.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-CopyScope.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-CorsRules.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-LocalUser.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsBypass.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsVirtualNetworkRules.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesResourceId.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesTenantId.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ServicesEncryption.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-LogicApp-TLS.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Modify-NSG.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Modify-UDR.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.parameters.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.parameters.json diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt index 933c1737b..4f9fecc3c 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt @@ -46,10 +46,22 @@ name: 'Deny-AA-child-resources' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json') } +{ + name: 'Deny-APIM-TLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-APIM-TLS.json') +} +{ + name: 'Deny-AppGw-Without-Tls' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGw-Without-Tls.json') +} { name: 'Deny-AppGW-Without-WAF' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json') } +{ + name: 'Deny-AppService-without-BYOC' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppService-without-BYOC.json') +} { name: 'Deny-AppServiceApiApp-http' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json') @@ -62,6 +74,22 @@ name: 'Deny-AppServiceWebApp-http' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json') } +{ + name: 'Deny-AzFw-Without-Policy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AzFw-Without-Policy.json') +} +{ + name: 'Deny-CognitiveServices-NetworkAcls' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-NetworkAcls.json') +} +{ + name: 'Deny-CognitiveServices-Resource-Kinds' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-Resource-Kinds.json') +} +{ + name: 'Deny-CognitiveServices-RestrictOutboundNetworkAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-RestrictOutboundNetworkAccess.json') +} { name: 'Deny-Databricks-NoPublicIp' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json') @@ -74,6 +102,14 @@ name: 'Deny-Databricks-VirtualNetwork' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json') } +{ + name: 'Deny-EH-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json') +} +{ + name: 'Deny-EH-Premium-CMK' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-Premium-CMK.json') +} { name: 'Deny-FileServices-InsecureAuth' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json') @@ -90,6 +126,14 @@ name: 'Deny-FileServices-InsecureSmbVersions' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json') } +{ + name: 'Deny-LogicApp-Public-Network' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApp-Public-Network.json') +} +{ + name: 'Deny-LogicApps-Without-Https' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApps-Without-Https.json') +} { name: 'Deny-MachineLearning-Aks' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json') @@ -154,6 +198,10 @@ name: 'Deny-Redis-http' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Redis-http.json') } +{ + name: 'Deny-Service-Endpoints' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Service-Endpoints.json') +} { name: 'Deny-Sql-minTLS' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json') @@ -162,10 +210,46 @@ name: 'Deny-SqlMi-minTLS' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json') } +{ + name: 'Deny-Storage-ContainerDeleteRetentionPolicy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ContainerDeleteRetentionPolicy.json') +} +{ + name: 'Deny-Storage-CopyScope' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CopyScope.json') +} +{ + name: 'Deny-Storage-CorsRules' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CorsRules.json') +} +{ + name: 'Deny-Storage-LocalUser' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-LocalUser.json') +} { name: 'Deny-Storage-minTLS' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json') } +{ + name: 'Deny-Storage-NetworkAclsBypass' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsBypass.json') +} +{ + name: 'Deny-Storage-NetworkAclsVirtualNetworkRules' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsVirtualNetworkRules.json') +} +{ + name: 'Deny-Storage-ResourceAccessRulesResourceId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesResourceId.json') +} +{ + name: 'Deny-Storage-ResourceAccessRulesTenantId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesTenantId.json') +} +{ + name: 'Deny-Storage-ServicesEncryption' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ServicesEncryption.json') +} { name: 'Deny-Storage-SFTP' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json') @@ -442,6 +526,10 @@ name: 'Deploy-FirewallPolicy' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json') } +{ + name: 'Deploy-LogicApp-TLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-LogicApp-TLS.json') +} { name: 'Deploy-MDFC-Arc-SQL-DCR-Association' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-SQL-DCR-Association.json') @@ -478,6 +566,10 @@ name: 'Deploy-PostgreSQL-sslEnforcement' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json') } +{ + name: 'Deploy-Private-DNS-Generic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json') +} { name: 'Deploy-Sql-AuditingSettings' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json') @@ -526,3 +618,11 @@ name: 'Deploy-Windows-DomainJoin' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json') } +{ + name: 'Modify-NSG' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-NSG.json') +} +{ + name: 'Modify-UDR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-UDR.json') +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json index b23924b95..e63ca602b 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json @@ -6,10 +6,10 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Audit the creation of Private Link Private DNS Zones", - "description": "This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "displayName": "Audit or Deny the creation of Private Link Private DNS Zones", + "description": "This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", "metadata": { - "version": "1.0.1", + "version": "1.0.2", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json index ac9b4f183..e4012c01b 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json @@ -9,7 +9,7 @@ "displayName": "Unused Public IP addresses driving cost should be avoided", "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cost Optimization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -40,8 +40,8 @@ "equals": "microsoft.network/publicIpAddresses" }, { - "field": "Microsoft.Network/publicIPAddresses/sku.name", - "notEquals": "Basic" + "field": "Microsoft.Network/publicIPAddresses/publicIPAllocationMethod", + "equals": "Static" }, { "anyOf": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-APIM-TLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-APIM-TLS.json new file mode 100644 index 000000000..8becabff3 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-APIM-TLS.json @@ -0,0 +1,70 @@ +{ + "name": "Deny-APIM-TLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "API Management services should use TLS version 1.2", + "description": "Azure API Management service should use TLS version 1.2", + "metadata": { + "version": "1.0.0", + "category": "API Management", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + { + "anyOf": [ + { + "value": "[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\":\"true\"')]", + "greater": 0 + }, + { + "value": "[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\":true')]", + "greater": 0 + }, + { + "value": "[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\":\"true\"')]", + "greater": 0 + }, + { + "value": "[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\":true')]", + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGw-Without-Tls.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGw-Without-Tls.json new file mode 100644 index 000000000..ac9934892 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGw-Without-Tls.json @@ -0,0 +1,78 @@ +{ + "name": "Deny-AppGw-Without-Tls", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2", + "description": "This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "predefinedPolicyName": { + "type": "array", + "metadata": { + "displayName": "Predefined policy name", + "description": "Predefined policy name" + }, + "defaultValue": [ + "AppGwSslPolicy20220101", + "AppGwSslPolicy20170401S", + "AppGwSslPolicy20220101S" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyType", + "notEquals": "Predefined" + }, + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyType", + "exists": "false" + }, + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyName", + "notIn": "[parameters('predefinedPolicyName')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppService-without-BYOC.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppService-without-BYOC.json new file mode 100644 index 000000000..13962cc09 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppService-without-BYOC.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-AppService-without-BYOC", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "App Service certificates must be stored in Key Vault", + "description": "App Service (including Logic apps and Function apps) must use certificates stored in Key Vault", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/certificates" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/certificates/keyVaultId", + "exists": "false" + }, + { + "field": "Microsoft.Web/certificates/keyVaultSecretName", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AzFw-Without-Policy.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AzFw-Without-Policy.json new file mode 100644 index 000000000..c762992c0 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AzFw-Without-Policy.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-AzFw-Without-Policy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Azure Firewall should have a default Firewall Policy", + "description": "This policy denies the creation of Azure Firewall without a default Firewall Policy.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + { + "field": "Microsoft.Network/azureFirewalls/firewallPolicy.id", + "exists": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-NetworkAcls.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-NetworkAcls.json new file mode 100644 index 000000000..e3de09eb3 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-NetworkAcls.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-CognitiveServices-NetworkAcls", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Network ACLs should be restricted for Cognitive Services", + "description": "Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]" + }, + "greater": 0 + }, + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]" + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-Resource-Kinds.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-Resource-Kinds.json new file mode 100644 index 000000000..e4c416f5d --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-Resource-Kinds.json @@ -0,0 +1,95 @@ +{ + "name": "Deny-CognitiveServices-Resource-Kinds", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Only explicit kinds for Cognitive Services should be allowed", + "description": "Azure Cognitive Services should only create explicit allowed kinds.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedKinds": { + "type": "array", + "metadata": { + "displayName": "Effect", + "description": "Select the allowed resource kinds to be used with Cognitive Services" + }, + "allowedValues": [ + "AnomalyDetector", + "ComputerVision", + "CognitiveServices", + "ContentModerator", + "CustomVision.Training", + "CustomVision.Prediction", + "Face", + "FormRecognizer", + "ImmersiveReader", + "LUIS", + "Personalizer", + "SpeechServices", + "TextAnalytics", + "TextTranslation", + "OpenAI" + ], + "defaultValue": [ + "AnomalyDetector", + "ComputerVision", + "CognitiveServices", + "ContentModerator", + "CustomVision.Training", + "CustomVision.Prediction", + "Face", + "FormRecognizer", + "ImmersiveReader", + "LUIS", + "Personalizer", + "SpeechServices", + "TextAnalytics", + "TextTranslation", + "OpenAI" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "field": "kind", + "notIn": "[parameters('allowedKinds')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-RestrictOutboundNetworkAccess.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-RestrictOutboundNetworkAccess.json new file mode 100644 index 000000000..07c5885f2 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-RestrictOutboundNetworkAccess.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-CognitiveServices-RestrictOutboundNetworkAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Outbound network access should be restricted for Cognitive Services", + "description": "Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "exists": "false" + }, + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-Premium-CMK.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-Premium-CMK.json new file mode 100644 index 000000000..2785c8031 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-Premium-CMK.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-EH-Premium-CMK", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Event Hub namespaces (Premium) should use a customer-managed key for encryption", + "description": "Event Hub namespaces (Premium) should use a customer-managed key for encryption.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "field": "Microsoft.EventHub/namespaces/sku.name", + "equals": "Premium" + }, + { + "not": { + "field": "Microsoft.EventHub/namespaces/encryption.keySource", + "equals": "Microsoft.Keyvault" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json new file mode 100644 index 000000000..a1e8b33e7 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json @@ -0,0 +1,70 @@ +{ + "name": "Deny-EH-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Event Hub namespaces should use a valid TLS version", + "description": "Event Hub namespaces should use a valid TLS version.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minTlsVersion": { + "type": "string", + "metadata": { + "displayName": "Minimum TLS Version", + "description": "Minimum TLS version to be used by Event Hub" + }, + "defaultValue": "1.2" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", + "notEquals": "[parameters('minTlsVersion')]" + }, + { + "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-LogicApp-Public-Network.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-LogicApp-Public-Network.json new file mode 100644 index 000000000..08af4808c --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-LogicApp-Public-Network.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-LogicApp-Public-Network", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Logic apps should disable public network access", + "description": "Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/sites/publicNetworkAccess", + "exists": "false" + }, + { + "field": "Microsoft.Web/sites/publicNetworkAccess", + "notEquals": "Disabled" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-LogicApps-Without-Https.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-LogicApps-Without-Https.json new file mode 100644 index 000000000..412add92b --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-LogicApps-Without-Https.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-LogicApps-Without-Https", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Logic app should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/sites/httpsOnly", + "exists": "false" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Service-Endpoints.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Service-Endpoints.json new file mode 100644 index 000000000..6c90c9947 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Service-Endpoints.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-Service-Endpoints", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny or Audit service endpoints on subnets", + "description": "This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]", + "where": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service", + "exists": true + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ContainerDeleteRetentionPolicy.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ContainerDeleteRetentionPolicy.json new file mode 100644 index 000000000..6325b5b49 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ContainerDeleteRetentionPolicy.json @@ -0,0 +1,74 @@ +{ + "name": "Deny-Storage-ContainerDeleteRetentionPolicy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts should use a container delete retention policy", + "description": "Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minContainerDeleteRetentionInDays": { + "type": "Integer", + "metadata": { + "displayName": "Minimum Container Delete Retention in Days", + "description": "Specifies the minimum number of days for the container delete retention policy" + }, + "defaultValue": 7 + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/blobServices" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled", + "exists": false + }, + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled", + "notEquals": true + }, + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days", + "less": "[parameters('minContainerDeleteRetentionInDays')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-CopyScope.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-CopyScope.json new file mode 100644 index 000000000..a8fb06bb8 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-CopyScope.json @@ -0,0 +1,74 @@ +{ + "name": "Deny-Storage-CopyScope", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Allowed Copy scope should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedCopyScope": { + "type": "String", + "metadata": { + "displayName": "Allowed Copy Scope", + "description": "Specify the allowed copy scope." + }, + "allowedValues": [ + "AAD", + "PrivateLink" + ], + "defaultValue": "AAD" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/allowedCopyScope", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/allowedCopyScope", + "notEquals": "[parameters('allowedCopyScope')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-CorsRules.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-CorsRules.json new file mode 100644 index 000000000..758a36ba5 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-CorsRules.json @@ -0,0 +1,102 @@ +{ + "name": "Deny-Storage-CorsRules", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts should restrict CORS rules", + "description": "Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/blobServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/tableServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/queueServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-LocalUser.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-LocalUser.json new file mode 100644 index 000000000..ef224a3a6 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-LocalUser.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-Storage-LocalUser", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Local users should be restricted for Storage Accounts", + "description": "Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/isLocalUserEnabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/isLocalUserEnabled", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsBypass.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsBypass.json new file mode 100644 index 000000000..47b3b9608 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsBypass.json @@ -0,0 +1,90 @@ +{ + "name": "Deny-Storage-NetworkAclsBypass", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Network ACL bypass option should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedBypassOptions": { + "type": "Array", + "metadata": { + "displayName": "Allowed Bypass Options", + "description": "Specifies which options are allowed to bypass the vnet configuration" + }, + "allowedValues": [ + "None", + "Logging", + "Metrics", + "AzureServices", + "Logging, Metrics", + "Logging, AzureServices", + "Metrics, AzureServices", + "Logging, Metrics, AzureServices", + "Logging, Metrics, AzureServices" + ], + "defaultValue": [ + "Logging", + "Metrics", + "AzureServices", + "Logging, Metrics", + "Logging, AzureServices", + "Metrics, AzureServices", + "Logging, Metrics, AzureServices", + "Logging, Metrics, AzureServices" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass", + "notIn": "[parameters('allowedBypassOptions')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsVirtualNetworkRules.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsVirtualNetworkRules.json new file mode 100644 index 000000000..f8ae97ebc --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsVirtualNetworkRules.json @@ -0,0 +1,56 @@ +{ + "name": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Virtual network rules should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]" + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesResourceId.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesResourceId.json new file mode 100644 index 000000000..140f10232 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesResourceId.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-Storage-ResourceAccessRulesResourceId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Resource Access Rules resource IDs should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]" + }, + "greater": 0 + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]", + "where": { + "value": "[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]", + "equals": "*" + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesTenantId.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesTenantId.json new file mode 100644 index 000000000..6cce477cd --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesTenantId.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-Storage-ResourceAccessRulesTenantId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Resource Access Rules Tenants should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]" + }, + "greater": 0 + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId", + "notEquals": "[subscription().tenantId]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ServicesEncryption.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ServicesEncryption.json new file mode 100644 index 000000000..54d016827 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-ServicesEncryption.json @@ -0,0 +1,102 @@ +{ + "name": "Deny-Storage-ServicesEncryption", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Encryption for storage services should be enforced for Storage Accounts", + "description": "Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled", + "notEquals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled", + "notEquals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType", + "notEquals": "Account" + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType", + "notEquals": "Account" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json index 5b10d4862..b4b36c6e4 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json @@ -5,11 +5,13 @@ "scope": null, "properties": { "policyType": "Custom", - "mode": "Indexed", - "displayName": "Storage Account set to minimum TLS and Secure transfer should be enabled", - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "mode": "All", + "displayName": "[Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html", "metadata": { - "version": "1.0.0", + "deprecated": true, + "supersededBy": "fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9", + "version": "1.0.0-deprecated", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json index fee8ee212..c1e6c49bd 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json index 2ab193db6..0a88a7df4 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json index fac00d211..7860050e2 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json index 9ffe64057..fda4db6d1 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", - "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json index 631957ec9..727dd199e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json index 0b6991826..9774e025d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json index 3c43b2d87..0dd4e3223 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json index 4362a337f..03f5b218c 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json index 8958c29e1..48afcbdea 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json index 618a4d6b0..eaebf19cd 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", - "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json index fbf8a0e5b..17951837e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json index 0c5e86c70..8832fe3c0 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json index 43e223d8e..54232fd32 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json index 8faad53c9..896422bd0 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json index fe5aa77ef..019beab83 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json index b93b48b69..a2b53063a 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.3.0", + "deprecated": true, + "version": "1.3.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json index c77b4eb3d..b4b5adb0c 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json index 51ed84ae9..bd4501c9b 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json index 5990ef97e..cf1ff1ce2 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json index 25aa36286..88257d03f 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", - "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json index 01d780d7d..3546fe19e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json index d7fa9f3c2..7bd6c5416 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json index bcde0b94b..0ad8e5e58 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json index b2a779ec5..f23df3993 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", - "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json index 69898554f..b4a00e7e3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json index bf6d6c29f..2eaf1d164 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json index 1d5628291..19b436fb6 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json index c98506e3b..c0e9d24fd 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json index 6df9c2472..1dcb9ebd9 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json index 1048f2fa3..4fbe778f3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json index daca6b487..747da3d7d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json index e78433615..fb73376ef 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json index 82b1ba70c..e78cb594d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "2.0.0", + "deprecated": true, + "version": "2.0.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json index e3988dbff..f06edec62 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json index 44f70db10..8b73c2d2c 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json index f8595c851..2f9c9047b 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json index 2cf6fe69f..6d632c1d8 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json index d838026c2..825ba0362 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", - "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json index e9a395c1f..ed26505af 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", - "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json index ca3dfcc2d..76c53faea 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json index 2bd6593bf..575f26bf8 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json index fe19ea182..98b10facc 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json index 3adea471a..dac3394e2 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json index ac9bd97fa..98cbd291f 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", - "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.1", + "deprecated": true, + "version": "1.1.1-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json index 6d51b7520..46db0f5f6 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace", - "description": "Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.0.0", + "deprecated": true, + "version": "1.0.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json index 9dbde3a3e..1add05f3d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json index 5db3014d0..29958cbcc 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.1", + "deprecated": true, + "version": "1.1.1-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json index 213d020c4..9f8d0e8a8 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.3.0", + "deprecated": true, + "version": "1.3.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json index 215102a42..072193393 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.1", + "deprecated": true, + "version": "1.1.1-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json index ba52b224c..e4fdf8e2f 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", - "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json index af682e66a..c31f9e38d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json index 2ab78fb4b..82aec5d9d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", - "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-LogicApp-TLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-LogicApp-TLS.json new file mode 100644 index 000000000..9c202975f --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-LogicApp-TLS.json @@ -0,0 +1,95 @@ +{ + "name": "Deploy-LogicApp-TLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Configure Logic apps to use the latest TLS version", + "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Web/sites/config", + "name": "web", + "existenceCondition": { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "equals": "1.2" + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772" + ], + "deployment": { + "properties": { + "mode": "incremental", + "parameters": { + "siteName": { + "value": "[field('name')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "siteName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2021-02-01", + "name": "[concat(parameters('siteName'), '/web')]", + "properties": { + "minTlsVersion": "1.2" + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-SQL-DCR-Association.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-SQL-DCR-Association.json index dd506c8a6..4b39f8dc4 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-SQL-DCR-Association.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-SQL-DCR-Association.json @@ -6,12 +6,14 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR", - "description": "Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers.", + "displayName": "[Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "2227e1f1-23dd-4c3a-85a9-7024a401d8b2", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-Sql-DefenderSQL-DCR.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-Sql-DefenderSQL-DCR.json index c4aa4fdc9..4bf554007 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-Sql-DefenderSQL-DCR.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-Sql-DefenderSQL-DCR.json @@ -6,12 +6,14 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace", - "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.", + "displayName": "[Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "63d03cbd-47fd-4ee1-8a1c-9ddf07303de0", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-AMA.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-AMA.json index fec449274..2b456fab0 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-AMA.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-AMA.json @@ -6,12 +6,14 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Configure SQL Virtual Machines to automatically install Azure Monitor Agent", - "description": "Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.", + "displayName": "[Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "f91991d1-5383-4c95-8ee5-5ac423dd8bb1", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL-DCR.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL-DCR.json index b683aff53..6cd564908 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL-DCR.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL-DCR.json @@ -6,12 +6,14 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace", - "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.", + "displayName": "[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html", "metadata": { - "version": "1.0.1", + "version": "1.0.1-deprecated", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "04754ef9-9ae3-4477-bf17-86ef50026304", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL.json index 6ee701b64..b56e54526 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL.json @@ -6,12 +6,14 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL", - "description": "Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations).", + "displayName": "[Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json new file mode 100644 index 000000000..caf64db9f --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json @@ -0,0 +1,154 @@ +{ + "name": "Deploy-Private-DNS-Generic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy-Private-DNS-Generic", + "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.", + "metadata": { + "version": "1.0.0", + "category": "Networking", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone ID for Paas services", + "description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.", + "strongType": "Microsoft.Network/privateDnsZones", + "assignPermissions": true + } + }, + "resourceType": { + "type": "String", + "metadata": { + "displayName": "PaaS private endpoint resource type", + "description": "The PaaS endpoint resource type." + } + }, + "groupId": { + "type": "String", + "metadata": { + "displayName": "PaaS Private endpoint group ID (subresource)", + "description": "The group ID of the PaaS private endpoint. Also referred to as subresource." + } + }, + "evaluationDelay": { + "type": "String", + "metadata": { + "displayName": "Evaluation Delay", + "description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists" + }, + "defaultValue": "PT10M" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", + "contains": "[parameters('resourceType')]" + }, + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "[parameters('groupId')]" + } + ] + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "evaluationDelay": "[parameters('evaluationDelay')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "PaaS-Service-Private-DNS-Zone-Config", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-UserAssignedManagedIdentity-VMInsights.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-UserAssignedManagedIdentity-VMInsights.json index 06d9b8e7d..c88be40b7 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-UserAssignedManagedIdentity-VMInsights.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-UserAssignedManagedIdentity-VMInsights.json @@ -6,12 +6,13 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy User Assigned Managed Identity for VM Insights", - "description": "Create and assign a User Assigned Managed Identity to Virtual Machines for VM Insights", + "displayName": "[Deprecated]: Deploy User Assigned Managed Identity for VM Insights", + "description": "Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "Managed Identity", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Modify-NSG.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Modify-NSG.json new file mode 100644 index 000000000..7591cf640 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Modify-NSG.json @@ -0,0 +1,129 @@ +{ + "name": "Modify-NSG", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Enforce specific configuration of Network Security Groups (NSG)", + "description": "This policy enforces the configuration of Network Security Groups (NSG).", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Modify", + "Disabled" + ], + "defaultValue": "Modify", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "nsgRuleName": { + "type": "string", + "defaultValue": "DenyAnyInternetOutbound" + }, + "nsgRulePriority": { + "type": "integer", + "defaultValue": 1000 + }, + "nsgRuleDirection": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "defaultValue": "Outbound" + }, + "nsgRuleAccess": { + "type": "string", + "allowedValues": [ + "Allow", + "Deny" + ], + "defaultValue": "Deny" + }, + "nsgRuleProtocol": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleSourceAddressPrefix": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleSourcePortRange": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleDestinationAddressPrefix": { + "type": "string", + "defaultValue": "Internet" + }, + "nsgRuleDestinationPortRange": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleDescription": { + "type": "string", + "defaultValue": "Deny any outbound traffic to the Internet" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]" + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "conflictEffect": "audit", + "operations": [ + { + "operation": "add", + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", + "value": { + "name": "[parameters('nsgRuleName')]", + "properties": { + "description": "[parameters('nsgRuleDescription')]", + "protocol": "[parameters('nsgRuleProtocol')]", + "sourcePortRange": "[parameters('nsgRuleSourcePortRange')]", + "destinationPortRange": "[parameters('nsgRuleDestinationPortRange')]", + "sourceAddressPrefix": "[parameters('nsgRuleSourceAddressPrefix')]", + "destinationAddressPrefix": "[parameters('nsgRuleDestinationAddressPrefix')]", + "access": "[parameters('nsgRuleAccess')]", + "priority": "[parameters('nsgRulePriority')]", + "direction": "[parameters('nsgRuleDirection')]" + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Modify-UDR.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Modify-UDR.json new file mode 100644 index 000000000..aeba9b862 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Modify-UDR.json @@ -0,0 +1,103 @@ +{ + "name": "Modify-UDR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Enforce specific configuration of User-Defined Routes (UDR)", + "description": "This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Modify", + "Disabled" + ], + "defaultValue": "Modify", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.", + "displayName": "Address Prefix" + } + }, + "nextHopType": { + "type": "string", + "metadata": { + "description": "The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.", + "displayName": "Next Hop Type" + }, + "allowedValues": [ + "VnetLocal", + "VirtualNetworkGateway", + "Internet", + "VirtualAppliance", + "None" + ] + }, + "nextHopIpAddress": { + "type": "string", + "metadata": { + "description": "The IP address packets should be forwarded to.", + "displayName": "Next Hop IP Address" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/routeTables" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]" + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "conflictEffect": "audit", + "operations": [ + { + "operation": "add", + "field": "Microsoft.Network/routeTables/routes[*]", + "value": { + "name": "default", + "properties": { + "addressPrefix": "[parameters('addressPrefix')]", + "nextHopType": "[parameters('nextHopType')]", + "nextHopIpAddress": "[parameters('nextHopIpAddress')]" + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt index bd8496804..1d2ddaace 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt @@ -1,4 +1,22 @@ var varCustomPolicySetDefinitionsArray = [ + { + name: 'Audit-TrustedLaunch' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AuditDisksOsTrustedLaunch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa' + definitionParameters: varPolicySetDefinitionEsAuditTrustedLaunchParameters.AuditDisksOsTrustedLaunch.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditTrustedLaunchEnabled' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf' + definitionParameters: varPolicySetDefinitionEsAuditTrustedLaunchParameters.AuditTrustedLaunchEnabled.parameters + definitionGroups: [] + } + ] + } { name: 'Audit-UnusedResourcesCostOptimization' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json') @@ -75,6 +93,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AseDenyPublicIP.parameters definitionGroups: [] } + { + definitionReferenceId: 'AsrVaultDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AsrVaultDenyPublicIP.parameters + definitionGroups: [] + } { definitionReferenceId: 'AutomationDenyPublicIP' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6' @@ -105,6 +129,144 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.CosmosDenyPaasPublicIP.parameters definitionGroups: [] } + { + definitionReferenceId: 'Deny-Adf-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Adf-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ADX-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-ADX-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppSlots-Public' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-AppSlots-Public'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Cognitive-Services-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Cognitive-Services-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-CognitiveSearch-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-CognitiveSearch-PublicEndpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerApps-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-ContainerApps-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-EH-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EventGrid-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-EventGrid-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EventGrid-Topic-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-EventGrid-Topic-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Graphana-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Graphana-PublicNetworkAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Hostpool-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Hostpool-PublicNetworkAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Hms-PublicNetwork' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-KV-Hms-PublicNetwork'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-LogicApp-Public-Network-Access' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-LogicApp-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ManagedDisk-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-ManagedDisk-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-MySql-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-MySql-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-PostgreSql-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-PostgreSql-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sb-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Sb-PublicEndpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sql-Managed-Public-Endpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Sql-Managed-Public-Endpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Public-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Storage-Public-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Synapse-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Workspace-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Workspace-PublicNetworkAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionAppSlotsDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.FunctionAppSlotsDenyPublicIP.parameters + definitionGroups: [] + } { definitionReferenceId: 'FunctionDenyPublicIP' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127' @@ -635,6 +797,114 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'Deploy-MDFC-Config_20240319' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.ascExport.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'azurePolicyForKubernetes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.azurePolicyForKubernetes.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForAppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForAppServices.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForArm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderforContainers.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCosmosDbs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForCosmosDbs.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCspm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForCspm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForKeyVaults' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForKeyVaults.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforKubernetes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderforKubernetes.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForOssDb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForOssDb.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForSqlPaas.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlServerVirtualMachines' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForSqlServerVirtualMachines.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForStorageAccountsV2' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForStorageAccountsV2.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForVM.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVMVulnerabilityAssessment' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForVMVulnerabilityAssessment.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'migrateToMdeTvm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.migrateToMdeTvm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.securityEmailContact.parameters + definitionGroups: [] + } + ] + } { name: 'Deploy-MDFC-Config' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json') @@ -825,6 +1095,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-AppServices'].parameters definitionGroups: [] } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Arc' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Arc'].parameters + definitionGroups: [] + } { definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-DSCHybrid' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' @@ -843,6 +1119,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Batch'].parameters definitionGroups: [] } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-BotService' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-BotService'].parameters + definitionGroups: [] + } { definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' @@ -951,6 +1233,18 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoT'].parameters definitionGroups: [] } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTCentral' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTCentral'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTDeviceupdate' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTDeviceupdate'].parameters + definitionGroups: [] + } { definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' @@ -969,6 +1263,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters definitionGroups: [] } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ManagedGrafanaWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ManagedGrafanaWorkspace'].parameters + definitionGroups: [] + } { definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Key' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' @@ -1023,6 +1323,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery'].parameters definitionGroups: [] } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery-Backup' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery-Backup'].parameters + definitionGroups: [] + } { definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0' @@ -1077,6 +1383,18 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb-Sec'].parameters definitionGroups: [] } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Table' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Table'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Table-Secondary' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Table-Secondary'].parameters + definitionGroups: [] + } { definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-Dev' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' @@ -1095,6 +1413,18 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL-OnDemand'].parameters definitionGroups: [] } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-VirtualDesktopHostpool' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-VirtualDesktopHostpool'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-VirtualDesktopWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-VirtualDesktopWorkspace'].parameters + definitionGroups: [] + } { definitionReferenceId: 'DINE-Private-DNS-Azure-Web' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' @@ -1103,6 +1433,36 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'Deploy-Sql-Security_20240529' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurity_20240529Parameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurity_20240529Parameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurity_20240529Parameters.SqlDbTdeDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurity_20240529Parameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + definitionGroups: [] + } + ] + } { name: 'Deploy-Sql-Security' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json') @@ -1205,6 +1565,48 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'Enforce-Backup' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'BackupBVault-Immutability' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupBVault-Immutability'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BackupBVault-MUA' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupBVault-MUA'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BackupBVault-SoftDelete' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupBVault-SoftDelete'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BackupRVault-Immutability' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupRVault-Immutability'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BackupRVault-MUA' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupRVault-MUA'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BackupRVault-SoftDelete' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupRVault-SoftDelete'].parameters + definitionGroups: [] + } + ] + } { name: 'Enforce-Encryption-CMK' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json') @@ -1246,25 +1648,109 @@ var varCustomPolicySetDefinitionsArray = [ definitionGroups: [] } { - definitionReferenceId: 'EncryptedVMDisksEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters + definitionReferenceId: 'Deny-Aa-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Aa-Cmk'].parameters definitionGroups: [] } { - definitionReferenceId: 'HealthcareAPIsCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters + definitionReferenceId: 'Deny-Adf-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Adf-Cmk'].parameters definitionGroups: [] } { - definitionReferenceId: 'MySQLCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters + definitionReferenceId: 'Deny-ADX-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-ADX-Cmk'].parameters definitionGroups: [] } { - definitionReferenceId: 'PostgreSQLCMKEffect' + definitionReferenceId: 'Deny-Backup-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Backup-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-CognitiveSearch-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-CognitiveSearch-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerInstance-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-ContainerInstance-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-EH-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-Premium-CMK' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-EH-Premium-CMK'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-OsAndDataDisk-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-OsAndDataDisk-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sb-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Sb-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sql-Managed-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Sql-Managed-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Encryption-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Storage-Encryption-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Queue-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Storage-Queue-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Table-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Storage-Table-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.PostgreSQLCMKEffect.parameters definitionGroups: [] @@ -1301,6 +1787,240 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'Enforce-EncryptTransit_20240509' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.AKSIngressHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.APIAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.AppServiceHttpEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.AppServiceminTlsVersion.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ContainerAppsHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.ContainerAppsHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Apps-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-AppService-Apps-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Slots-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-AppService-Slots-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-AppService-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerApps-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-ContainerApps-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-MINTLS' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-EH-MINTLS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FuncAppSlots-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-FuncAppSlots-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FunctionApp-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-FunctionApp-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-LogicApp-Without-Https' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-LogicApp-Without-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sql-Db-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-Sql-Db-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sql-Managed-Tls-Version' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-Sql-Managed-Tls-Version'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-Storage-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Tls-Version' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-Synapse-Tls-Version'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deploy-LogicApp-TLS' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deploy-LogicApp-TLS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-AppService-Apps-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Dine-AppService-Apps-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-AppService-AppSlotTls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['DINE-AppService-AppSlotTls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Function-Apps-Slots-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Dine-Function-Apps-Slots-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-FunctionApp-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Dine-FunctionApp-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.FunctionLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.FunctionServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.MySQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.MySQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.PostgreSQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.PostgreSQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.RedisDenyhttps.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.RedisdisableNonSslPort.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.RedisTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.SQLManagedInstanceTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.SQLManagedInstanceTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.SQLServerTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.SQLServerTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.StorageDeployHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.WebAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.WebAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + ] + } { name: 'Enforce-EncryptTransit' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json') @@ -1440,67 +2160,1431 @@ var varCustomPolicySetDefinitionsArray = [ ] } { - name: 'Enforce-Guardrails-KeyVault' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json') + name: 'Enforce-Guardrails-APIM' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.json') libSetChildDefinitions: [ { - definitionReferenceId: 'KvCertLifetime' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvCertLifetime.parameters + definitionReferenceId: 'Deny-Api-subscription-scope' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Api-subscription-scope'].parameters definitionGroups: [] } { - definitionReferenceId: 'KvFirewallEnabled' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvFirewallEnabled.parameters + definitionReferenceId: 'Deny-Apim-Authn' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Authn'].parameters definitionGroups: [] } { - definitionReferenceId: 'KvKeysExpire' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysExpire.parameters + definitionReferenceId: 'Deny-Apim-Cert-Validation' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Cert-Validation'].parameters definitionGroups: [] } { - definitionReferenceId: 'KvKeysLifetime' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysLifetime.parameters + definitionReferenceId: 'Deny-Apim-Direct-Endpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Direct-Endpoint'].parameters definitionGroups: [] } { - definitionReferenceId: 'KvPurgeProtection' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvPurgeProtection.parameters + definitionReferenceId: 'Deny-Apim-Protocols' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Protocols'].parameters definitionGroups: [] } { - definitionReferenceId: 'KvSecretsExpire' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsExpire.parameters + definitionReferenceId: 'Deny-Apim-Sku-Vnet' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Sku-Vnet'].parameters definitionGroups: [] } { - definitionReferenceId: 'KvSecretsLifetime' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsLifetime.parameters + definitionReferenceId: 'Deny-APIM-TLS' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-APIM-TLS'].parameters definitionGroups: [] } { - definitionReferenceId: 'KvSoftDelete' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSoftDelete.parameters + definitionReferenceId: 'Deny-Apim-Version' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Version'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Apim-without-Kv' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-without-Kv'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Apim-without-Vnet' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-without-Vnet'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Apim-Public-NetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Dine-Apim-Public-NetworkAccess'].parameters definitionGroups: [] } ] } -] - - -// Policy Set/Initiative Definition Parameter Variables - -var varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json') - -var varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json') + { + name: 'Enforce-Guardrails-AppServices' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-AppServ-FtpAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppServ-FtpAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppServ-Routing' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppServ-Routing'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppServ-SkuPl' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppServ-SkuPl'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Byoc' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppService-Byoc'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Latest-Version' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppService-Latest-Version'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Rfc' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppService-Rfc'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Slots-Remote-Debugging' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppService-Slots-Remote-Debugging'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Vnet-Routing' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppService-Vnet-Routing'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppServiceApps-Rfc' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppServiceApps-Rfc'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-AppService-Apps-Remote-Debugging' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Dine-AppService-Apps-Remote-Debugging'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-AppService-Debugging' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['DINE-AppService-Debugging'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-AppService-LocalAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['DINE-AppService-LocalAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-AppService-ScmAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['DINE-AppService-ScmAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-FuncApp-Debugging' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['DINE-FuncApp-Debugging'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-AppService-App-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Modify-AppService-App-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-AppService-Apps-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Modify-AppService-Apps-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-AppService-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Modify-AppService-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Function-Apps-Slots-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Modify-Function-Apps-Slots-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Function-Apps-Slots-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Modify-Function-Apps-Slots-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Automation' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Aa-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Deny-Aa-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aa-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Deny-Aa-Managed-Identity'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aa-Variables-Encrypt' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Deny-Aa-Variables-Encrypt'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Windows-Vm-HotPatch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Deny-Windows-Vm-HotPatch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Aa-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Modify-Aa-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Aa-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Modify-Aa-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-CognitiveServices' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-CognitiveSearch-SKU' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-CognitiveSearch-SKU'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-CongitiveSearch-LocalAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-CongitiveSearch-LocalAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Cognitive-Services-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-Cognitive-Services-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-CogntiveSearch-LocalAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-CogntiveSearch-LocalAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-CogntiveSearch-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-CogntiveSearch-PublicEndpoint'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Compute' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Disk-Double-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsComputeParameters['Deny-Disk-Double-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-VmAndVmss-Encryption-Host' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsComputeParameters['Deny-VmAndVmss-Encryption-Host'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-ContainerApps' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-ContainerApp-Vnet-Injection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerAppsParameters['Deny-ContainerApp-Vnet-Injection'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerApps-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerAppsParameters['Deny-ContainerApps-Managed-Identity'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-ContainerInstance' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-ContainerInstance-Vnet' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerInstanceParameters['Deny-ContainerInstance-Vnet'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-ContainerRegistry' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-ContainerRegistry-Anonymous-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Anonymous-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Arm-Audience' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Arm-Audience'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Exports' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Exports'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Repo-Token' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Repo-Token'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Sku-PrivateLink' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Sku-PrivateLink'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Unrestricted-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Unrestricted-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ContainerRegistry-Anonymous-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Modify-ContainerRegistry-Anonymous-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ContainerRegistry-Arm-Audience' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Modify-ContainerRegistry-Arm-Audience'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ContainerRegistry-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Modify-ContainerRegistry-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ContainerRegistry-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Modify-ContainerRegistry-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ContainerRegistry-Repo-Token' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Modify-ContainerRegistry-Repo-Token'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-CosmosDb' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Append-CosmosDb-Metadata' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Append-CosmosDb-Metadata'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-CosmosDb-Fw-Rules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Deny-CosmosDb-Fw-Rules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-CosmosDb-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Deny-CosmosDb-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-CosmosDb-Atp' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Dine-CosmosDb-Atp'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-CosmosDb-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Modify-CosmosDb-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-CosmosDb-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Modify-CosmosDb-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-DataExplorer' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-ADX-Double-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataExplorerParameters['Deny-ADX-Double-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ADX-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataExplorerParameters['Deny-ADX-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ADX-Sku-without-PL-Support' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataExplorerParameters['Deny-ADX-Sku-without-PL-Support'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ADX-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataExplorerParameters['Modify-ADX-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-DataFactory' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Adf-Git' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters['Deny-Adf-Git'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Adf-Linked-Service-Key-Vault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters['Deny-Adf-Linked-Service-Key-Vault'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Adf-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters['Deny-Adf-Managed-Identity'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Adf-Sql-Integration' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters['Deny-Adf-Sql-Integration'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Adf-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters['Modify-Adf-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-EventGrid' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-EventGrid-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Deny-EventGrid-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EventGrid-Partner-Namespace-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Deny-EventGrid-Partner-Namespace-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EventGrid-Topic-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Deny-EventGrid-Topic-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EventGrid-Domain-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Modify-EventGrid-Domain-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EventGrid-Domain-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Modify-EventGrid-Domain-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EventGrid-Partner-Namespace-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Modify-EventGrid-Partner-Namespace-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EventGrid-Topic-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Modify-EventGrid-Topic-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EventGrid-Topic-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Modify-EventGrid-Topic-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-EventHub' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-EH-Auth-Rules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventHubParameters['Deny-EH-Auth-Rules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-Double-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventHubParameters['Deny-EH-Double-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventHubParameters['Deny-EH-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EH-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventHubParameters['Modify-EH-Local-Auth'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-KeyVault-Sup' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Modify-KV-Fw' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultSupParameters['Modify-KV-Fw'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-KV-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultSupParameters['Modify-KV-PublicNetworkAccess'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-KeyVault' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Cert-Expiration-Within-Specific-Number-Days' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Cert-Expiration-Within-Specific-Number-Days'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Cert-Period' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Cert-Period'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Cryptographic-Type' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Cryptographic-Type'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Curve-Names' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Curve-Names'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Elliptic-Curve' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Elliptic-Curve'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Hms-Key-Expire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Hms-Key-Expire'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Hms-PurgeProtection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Hms-PurgeProtection'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Hsm-Curve-Names' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Hsm-Curve-Names'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Hsm-MinimumDays-Before-Expiration' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Hsm-MinimumDays-Before-Expiration'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Integrated-Ca' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Integrated-Ca'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Key-Active' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Key-Active'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Key-Types' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Key-Types'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Keys-Expire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Keys-Expire'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Non-Integrated-Ca' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Non-Integrated-Ca'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-RSA-Keys-without-MinCertSize' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-RSA-Keys-without-MinCertSize'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-RSA-Keys-without-MinKeySize' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-RSA-Keys-without-MinKeySize'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Secret-ActiveDays' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Secret-ActiveDays'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Secret-Content-Type' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Secret-Content-Type'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Secrets-ValidityDays' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Secrets-ValidityDays'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-without-ArmRbac' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-without-ArmRbac'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvCertLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvCertLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvFirewallEnabled' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvFirewallEnabled.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvKeysExpire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysExpire.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvKeysLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvPurgeProtection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvPurgeProtection.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSecretsExpire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsExpire.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSecretsLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSoftDelete' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSoftDelete.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Kubernetes' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Aks-Allowed-Capabilities' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Allowed-Capabilities'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Cni' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Cni'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Default-Namespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Default-Namespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Internal-Lb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Internal-Lb'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Kms' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Kms'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Naked-Pods' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Naked-Pods'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Priv-Containers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Priv-Containers'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Priv-Escalation' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Priv-Escalation'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Private-Cluster' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Private-Cluster'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-ReadinessOrLiveness-Probes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-ReadinessOrLiveness-Probes'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Shared-Host-Process-Namespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Shared-Host-Process-Namespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Temp-Disk-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Temp-Disk-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Windows-Container-Administrator' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Windows-Container-Administrator'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Aks-Command-Invoke' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Dine-Aks-Command-Invoke'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Aks-Policy' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Dine-Aks-Policy'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-MachineLearning' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-ML-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Outdated-Os' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Outdated-Os'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-User-Assigned-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-User-Assigned-Identity'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ML-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Modify-ML-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ML-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Modify-ML-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-MySQL' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-MySql-Infra-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMySQLParameters['Deny-MySql-Infra-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-MySql-Adv-Threat-Protection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMySQLParameters['Dine-MySql-Adv-Threat-Protection'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Network' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-AppGw-Without-Tls' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-AppGw-Without-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppGw-Without-Waf' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-AppGw-Without-Waf'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FW-AllIDPSS' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-FW-AllIDPSS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FW-EmpIDPSBypass' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-FW-EmpIDPSBypass'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FW-TLS-AllApp' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-FW-TLS-AllApp'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FW-TLS-Inspection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-FW-TLS-Inspection'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Ip-Forwarding' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Ip-Forwarding'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Mgmt-From-Internet' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Mgmt-From-Internet'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Nsg-GW-subnet' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Nsg-GW-subnet'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Subnet-with-Service-Endpoints' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Subnet-with-Service-Endpoints'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Subnet-Without-NSG' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Subnet-Without-NSG'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Subnet-Without-UDR' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-UDR' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Subnet-Without-UDR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-vNic-Pip' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-vNic-Pip'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-VPN-AzureAD' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-VPN-AzureAD'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Waf-Afd-Enabled' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Waf-Afd-Enabled'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Waf-AppGw-mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Waf-AppGw-mode'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Waf-Fw-rules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Waf-Fw-rules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Waf-IDPS' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Waf-IDPS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Waf-mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Waf-mode'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Nsg' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Modify-Nsg'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Udr' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Modify-Udr'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-vNet-DDoS' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Modify-vNet-DDoS'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-OpenAI' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Cognitive-Services-Cust-Storage' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-Cognitive-Services-Cust-Storage'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-Cognitive-Services-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-Cognitive-Services-Managed-Identity'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-OpenAi-NetworkAcls' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-OpenAi-NetworkAcls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-OpenAi-OutboundNetworkAccess' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-OpenAi-OutboundNetworkAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Modify-Cognitive-Services-Local-Auth'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-PostgreSQL' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Dine-PostgreSql-Adv-Threat-Protection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsPostgreSQLParameters['Dine-PostgreSql-Adv-Threat-Protection'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-ServiceBus' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Sb-Authz-Rules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsServiceBusParameters['Deny-Sb-Authz-Rules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sb-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsServiceBusParameters['Deny-Sb-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sb-LocalAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsServiceBusParameters['Deny-Sb-LocalAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Sb-LocalAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsServiceBusParameters['Modify-Sb-LocalAuth'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-SQL' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Sql-Aad-Only' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSQLParameters['Deny-Sql-Aad-Only'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sql-Managed-Aad-Only' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSQLParameters['Deny-Sql-Managed-Aad-Only'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Sql-Adv-Data' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSQLParameters['Dine-Sql-Adv-Data'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Sql-Managed-Defender' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSQLParameters['Dine-Sql-Managed-Defender'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Sql-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSQLParameters['Modify-Sql-PublicNetworkAccess'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Storage' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Storage-Account-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Account-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Account-Keys-Expire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Account-Keys-Expire'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Classic' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Classic'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-ContainerDeleteRetentionPolicy' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-ContainerDeleteRetentionPolicy'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-CopyScope' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-CopyScope'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-CorsRules' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-CorsRules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Cross-Tenant' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Cross-Tenant'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Infra-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Infra-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-LocalUser' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-LocalUser'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-NetworkAclsBypass' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-NetworkAclsBypass'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-NetworkAclsVirtualNetworkRules' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-NetworkAclsVirtualNetworkRules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-NetworkRules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-NetworkRules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-ResourceAccessRulesResourceId' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-ResourceAccessRulesResourceId'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-ResourceAccessRulesTenantId' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-ResourceAccessRulesTenantId'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Restrict-NetworkRules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Restrict-NetworkRules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-ServicesEncryption' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-ServicesEncryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Sftp' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-Sftp' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Sftp'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Shared-Key' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Shared-Key'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Storage-Threat-Protection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Dine-Storage-Threat-Protection'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Blob-Storage-Account-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Modify-Blob-Storage-Account-PublicEndpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Storage-Account-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Modify-Storage-Account-PublicEndpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Storage-FileSync-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Modify-Storage-FileSync-PublicEndpoint'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Synapse' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Synapse-Data-Traffic' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Deny-Synapse-Data-Traffic'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Fw-Rules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Deny-Synapse-Fw-Rules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Deny-Synapse-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Managed-Vnet' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Deny-Synapse-Managed-Vnet'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Tenant-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Deny-Synapse-Tenant-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Synapse-Defender' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Dine-Synapse-Defender'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Synapse-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Modify-Synapse-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Synapse-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Modify-Synapse-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Synapse-Tls-Version' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Modify-Synapse-Tls-Version'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-VirtualDesktop' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Modify-Hostpool-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsVirtualDesktopParameters['Modify-Hostpool-PublicNetworkAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Workspace-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsVirtualDesktopParameters['Modify-Workspace-PublicNetworkAccess'].parameters + definitionGroups: [] + } + ] + } +] + + +// Policy Set/Initiative Definition Parameter Variables + +var varPolicySetDefinitionEsAuditTrustedLaunchParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.parameters.json') + +var varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json') + +var varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json') var varPolicySetDefinitionEsDenyActionDeleteProtectionParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json') @@ -1508,12 +3592,16 @@ var varPolicySetDefinitionEsDeployAUMCheckUpdatesParameters = loadJsonContent('l var varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json') +var varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json') + var varPolicySetDefinitionEsDeployMDFCConfigParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json') var varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-DefenderSQL-AMA.parameters.json') var varPolicySetDefinitionEsDeployPrivateDNSZonesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json') +var varPolicySetDefinitionEsDeploySqlSecurity_20240529Parameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.parameters.json') + var varPolicySetDefinitionEsDeploySqlSecurityParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json') var varPolicySetDefinitionEsEnforceACSBParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json') @@ -1522,9 +3610,63 @@ var varPolicySetDefinitionEsEnforceALZDecommParameters = loadJsonContent('lib/po var varPolicySetDefinitionEsEnforceALZSandboxParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json') +var varPolicySetDefinitionEsEnforceBackupParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json') + var varPolicySetDefinitionEsEnforceEncryptionCMKParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json') +var varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.parameters.json') + var varPolicySetDefinitionEsEnforceEncryptTransitParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json') +var varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsComputeParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsContainerAppsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsContainerInstanceParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsDataExplorerParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsEventHubParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsKeyVaultSupParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.parameters.json') + var varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json') +var varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsMySQLParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsPostgreSQLParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsServiceBusParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsSQLParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsStorageParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsVirtualDesktopParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.parameters.json') + diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.json new file mode 100644 index 000000000..09491dae7 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.json @@ -0,0 +1,58 @@ +{ + "name": "Audit-TrustedLaunch", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Audit virtual machines for Trusted Launch support", + "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", + "metadata": { + "version": "1.0.0", + "category": "Trusted Launch", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AuditDisksOsTrustedLaunch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditTrustedLaunchEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.parameters.json new file mode 100644 index 000000000..51de616da --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.parameters.json @@ -0,0 +1,16 @@ +{ + "AuditDisksOsTrustedLaunch": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "AuditTrustedLaunchEnabled": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json index fa63ce3a0..937bd11d9 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json @@ -8,7 +8,7 @@ "displayName": "Public network access should be disabled for PaaS services", "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", "metadata": { - "version": "3.2.0", + "version": "5.0.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -20,7 +20,7 @@ "type": "String", "metadata": { "displayName": "Public network access should be disabled for CosmosDB", - "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." }, "allowedValues": [ "Audit", @@ -85,7 +85,7 @@ "type": "String", "metadata": { "displayName": "Public network access on Azure Container Registry disabled", - "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " + "description": "This policy denies the creation of Azure Container Registries with exposed public endpoints " }, "allowedValues": [ "Audit", @@ -111,7 +111,20 @@ "type": "String", "metadata": { "displayName": "Public network access should be disabled for PostgreSql Flexible Server", - "description": "This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints" + "description": "This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "postgreSqlPublicNetworkAccess": { + "type": "string", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSQL servers", + "description": "This policy denies creation of PostgreSQL DB accounts with exposed public endpoints" }, "allowedValues": [ "Audit", @@ -189,7 +202,7 @@ "type": "String", "metadata": { "displayName": "Public network access should be disabled for Bot Service", - "description": "This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode" + "description": "This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode" }, "allowedValues": [ "Audit", @@ -202,7 +215,7 @@ "type": "String", "metadata": { "displayName": "Public network access should be disabled for Automation accounts", - "description": "This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode" + "description": "This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode" }, "allowedValues": [ "Audit", @@ -237,6 +250,19 @@ ], "defaultValue": "Deny" }, + "FunctionAppSlotPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Function apps", + "description": "This policy denies creation of Function apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, "AsePublicIpDenyEffect": { "type": "String", "metadata": { @@ -287,6 +313,207 @@ "Disabled" ], "defaultValue": "Deny" + }, + "AsrVaultDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Azure Recovery Services vaults should disable public network access", + "description": "This policy denies creation of Azure Recovery Services vaults with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "logicAppPublicNetworkAccessEffect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "appSlotsPublicNetworkAccess": { + "type": "string", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "cognitiveSearchPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "managedDiskPublicNetworkAccess": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "containerAppsPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridTopicPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultManagedHsmDisablePublicNetwork": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mySqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsPublicAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapsePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "avdHostPoolPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "avdWorkspacePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "graphanaPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] } }, "policyDefinitions": [ @@ -370,6 +597,16 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "Deny-PostgreSql-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", @@ -460,6 +697,16 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "FunctionAppSlotsDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2", + "parameters": { + "effect": { + "value": "[[parameters('FunctionAppSlotPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "AseDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", @@ -499,6 +746,226 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerApps-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1", + "parameters": { + "effect": { + "value": "[[parameters('containerAppsPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AsrVaultDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090", + "parameters": { + "effect": { + "value": "[[parameters('AsrVaultDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-LogicApp-Public-Network-Access", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network", + "parameters": { + "effect": { + "value": "[[parameters('logicAppPublicNetworkAccessEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppSlots-Public", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622", + "parameters": { + "effect": { + "value": "[[parameters('appSlotsPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-CognitiveSearch-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ManagedDisk-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094", + "parameters": { + "effect": { + "value": "[[parameters('managedDiskPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ADX-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673", + "parameters": { + "effect": { + "value": "[[parameters('adxPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6", + "parameters": { + "effect": { + "value": "[[parameters('adfPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EventGrid-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68", + "parameters": { + "effect": { + "value": "[[parameters('eventGridPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45", + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e", + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Hms-PublicNetwork", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmDisablePublicNetwork')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-MySql-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", + "parameters": { + "effect": { + "value": "[[parameters('mySqlPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sb-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13", + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDisablePublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Public-Endpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Public-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsPublicAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d", + "parameters": { + "effect": { + "value": "[[parameters('synapsePublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Workspace-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd", + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspacePublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Hostpool-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334", + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Graphana-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628", + "parameters": { + "effect": { + "value": "[[parameters('graphanaPublicNetworkAccess')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json index 19246f70b..056f966fd 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json @@ -48,6 +48,13 @@ } } }, + "AsrVaultDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AsrVaultDenyEffect')]" + } + } + }, "AutomationDenyPublicIP": { "parameters": { "effect": { @@ -83,6 +90,167 @@ } } }, + "Deny-Adf-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('adfPublicNetworkAccess')]" + } + } + }, + "Deny-ADX-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('adxPublicNetworkAccess')]" + } + } + }, + "Deny-AppSlots-Public": { + "parameters": { + "effect": { + "value": "[[parameters('appSlotsPublicNetworkAccess')]" + } + } + }, + "Deny-Cognitive-Services-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAccess')]" + } + } + }, + "Deny-Cognitive-Services-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesPublicNetworkAccess')]" + } + } + }, + "Deny-CognitiveSearch-PublicEndpoint": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchPublicNetworkAccess')]" + } + } + }, + "Deny-ContainerApps-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('containerAppsPublicNetworkAccess')]" + } + } + }, + "Deny-EH-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesPublicNetworkAccess')]" + } + } + }, + "Deny-EventGrid-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('eventGridPublicNetworkAccess')]" + } + } + }, + "Deny-EventGrid-Topic-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicPublicNetworkAccess')]" + } + } + }, + "Deny-Graphana-PublicNetworkAccess": { + "parameters": { + "effect": { + "value": "[[parameters('graphanaPublicNetworkAccess')]" + } + } + }, + "Deny-Hostpool-PublicNetworkAccess": { + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolPublicNetworkAccess')]" + } + } + }, + "Deny-KV-Hms-PublicNetwork": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmDisablePublicNetwork')]" + } + } + }, + "Deny-LogicApp-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('logicAppPublicNetworkAccessEffect')]" + } + } + }, + "Deny-ManagedDisk-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('managedDiskPublicNetworkAccess')]" + } + } + }, + "Deny-MySql-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('mySqlPublicNetworkAccess')]" + } + } + }, + "Deny-PostgreSql-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlPublicNetworkAccess')]" + } + } + }, + "Deny-Sb-PublicEndpoint": { + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDisablePublicNetworkAccess')]" + } + } + }, + "Deny-Sql-Managed-Public-Endpoint": { + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedPublicNetworkAccess')]" + } + } + }, + "Deny-Storage-Public-Access": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsPublicAccess')]" + } + } + }, + "Deny-Synapse-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('synapsePublicNetworkAccess')]" + } + } + }, + "Deny-Workspace-PublicNetworkAccess": { + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspacePublicNetworkAccess')]" + } + } + }, + "FunctionAppSlotsDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionAppSlotPublicIpDenyEffect')]" + } + } + }, "FunctionDenyPublicIP": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json index 4a121b9c3..0fa287d91 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json @@ -5,10 +5,11 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deploy Diagnostic Settings to Azure Services", - "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "displayName": "[Deprecated]: Deploy Diagnostic Settings to Azure Services", + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "2.2.0", + "deprecated": true, + "version": "2.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json index 222ad52d7..c880772c0 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json @@ -5,12 +5,14 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deploy Microsoft Defender for Cloud configuration", - "description": "Deploy Microsoft Defender for Cloud configuration", + "displayName": "[Deprecated]: Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html", "metadata": { - "version": "7.0.0", + "version": "7.0.0-deprecated", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-MDFC-Config_20240319", "alzCloudEnvironments": [ "AzureCloud" ] diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json new file mode 100644 index 000000000..ffe9b7f9d --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json @@ -0,0 +1,404 @@ +{ + "name": "Deploy-MDFC-Config_20240319", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration", + "metadata": { + "version": "1.0.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-MDFC-Config", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Microsoft Defender for Cloud contact details" + } + }, + "minimalSeverity": { + "type": "string", + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": "High", + "metadata": { + "displayName": "Minimal severity", + "description": "Defines the minimal alert severity which will be sent as email notifications" + } + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "ascExportResourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource Group name for the export to Log Analytics workspace configuration", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "ascExportResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Group location for the export to Log Analytics workspace configuration", + "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServersVulnerabilityAssessments": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "vulnerabilityAssessmentProvider": { + "type": "String", + "allowedValues": [ + "default", + "mdeTvm" + ], + "defaultValue": "mdeTvm", + "metadata": { + "displayName": "Vulnerability assessment provider type", + "description": "Select the vulnerability assessment solution to provision to machines." + } + }, + "enableAscForCspm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForOssDb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForOssDb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVM", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "vaType": { + "value": "[[parameters('vulnerabilityAssessmentProvider')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSqlOnVm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForAppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForAppServices')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForStorageAccountsV2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azurePolicyForKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForKeyVaults", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForArm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlPaas", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCosmosDbs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDbs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCspm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCspm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "securityEmailContact", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[[parameters('minimalSeverity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ascExport", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "migrateToMdeTvm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", + "parameters": {}, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json new file mode 100644 index 000000000..5408895e1 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json @@ -0,0 +1,132 @@ +{ + "ascExport": { + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + "azurePolicyForKubernetes": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + } + }, + "defenderForAppServices": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForAppServices')]" + } + } + }, + "defenderForArm": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + } + }, + "defenderforContainers": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + } + }, + "defenderForCosmosDbs": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDbs')]" + } + } + }, + "defenderForCspm": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCspm')]" + } + } + }, + "defenderForKeyVaults": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForKeyVault')]" + } + } + }, + "defenderforKubernetes": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + "defenderForOssDb": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForOssDb')]" + } + } + }, + "defenderForSqlPaas": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + } + }, + "defenderForSqlServerVirtualMachines": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSqlOnVm')]" + } + } + }, + "defenderForStorageAccountsV2": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForStorage')]" + } + } + }, + "defenderForVM": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + } + }, + "defenderForVMVulnerabilityAssessment": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "vaType": { + "value": "[[parameters('vulnerabilityAssessmentProvider')]" + } + } + }, + "migrateToMdeTvm": { + "parameters": {} + }, + "securityEmailContact": { + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[[parameters('minimalSeverity')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-DefenderSQL-AMA.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-DefenderSQL-AMA.json index 9b0d468bc..0ae5f70e5 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-DefenderSQL-AMA.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-DefenderSQL-AMA.json @@ -5,12 +5,14 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", - "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.", + "displayName": "[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW", + "description": "Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html", "metadata": { - "version": "1.0.1", + "version": "1.0.1-deprecated", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "de01d381-bae9-4670-8870-786f89f49e26", "alzCloudEnvironments": [ "AzureCloud" ] diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json index 1c664daf7..78db42184 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "2.1.2", + "version": "2.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -466,6 +466,15 @@ "description": "Private DNS Zone Identifier" } }, + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMachineLearningWorkspaceSecondPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "azureServiceBusNamespacePrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -484,6 +493,132 @@ "description": "Private DNS Zone Identifier" } }, + "azureBotServicePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureBotServicePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureManagedGrafanaWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureManagedGrafanaWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureVirtualDesktopHostpoolPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureVirtualDesktopHostpoolPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureVirtualDesktopWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureVirtualDesktopWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotDeviceupdatePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotDeviceupdatePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureArcGuestconfigurationPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureArcGuestconfigurationPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureArcHybridResourceProviderPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureArcHybridResourceProviderPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureArcKubernetesConfigurationPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureArcKubernetesConfigurationPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotCentralPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotCentralPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageTablePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageTableSecondaryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageTableSecondaryPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryBackupPrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryBackupPrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryBlobPrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryBlobPrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryQueuePrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryQueuePrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "effect": { "type": "string", "metadata": { @@ -1185,6 +1320,9 @@ "privateDnsZoneId": { "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" }, + "secondPrivateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]" + }, "effect": { "value": "[[parameters('effect')]" } @@ -1216,6 +1354,154 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-BotService", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBotServicePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ManagedGrafanaWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopHostpool", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "connection" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "feed" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTDeviceupdate", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9", + "parameters": { + "privateDnsZoneIdForGuestConfiguration": { + "value": "[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]" + }, + "privateDnsZoneIdForHybridResourceProvider": { + "value": "[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]" + }, + "privateDnsZoneIdForKubernetesConfiguration": { + "value": "[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTCentral", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotCentralPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageTablePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table-Secondary", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery-Backup", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", + "parameters": { + "privateDnsZone-Backup": { + "value": "[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]" + }, + "privateDnsZone-Blob": { + "value": "[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]" + }, + "privateDnsZone-Queue": { + "value": "[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json index 2224284fb..e63e3e07e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json @@ -29,6 +29,22 @@ } } }, + "DINE-Private-DNS-Azure-Arc": { + "parameters": { + "privateDnsZoneIdForGuestConfiguration": { + "value": "[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]" + }, + "privateDnsZoneIdForHybridResourceProvider": { + "value": "[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]" + }, + "privateDnsZoneIdForKubernetesConfiguration": { + "value": "[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, "DINE-Private-DNS-Azure-Automation-DSCHybrid": { "parameters": { "privateDnsZoneId": { @@ -65,6 +81,16 @@ } } }, + "DINE-Private-DNS-Azure-BotService": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBotServicePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, "DINE-Private-DNS-Azure-CognitiveSearch": { "parameters": { "privateDnsZoneId": { @@ -279,6 +305,26 @@ } } }, + "DINE-Private-DNS-Azure-IoTCentral": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotCentralPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-IoTDeviceupdate": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, "DINE-Private-DNS-Azure-IoTHubs": { "parameters": { "privateDnsZoneId": { @@ -304,6 +350,19 @@ "privateDnsZoneId": { "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" }, + "secondPrivateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-ManagedGrafanaWorkspace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]" + }, "effect": { "value": "[[parameters('effect')]" } @@ -420,6 +479,22 @@ } } }, + "DINE-Private-DNS-Azure-Site-Recovery-Backup": { + "parameters": { + "privateDnsZone-Backup": { + "value": "[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]" + }, + "privateDnsZone-Blob": { + "value": "[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]" + }, + "privateDnsZone-Queue": { + "value": "[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, "DINE-Private-DNS-Azure-Storage-Blob": { "parameters": { "privateDnsZoneId": { @@ -510,6 +585,26 @@ } } }, + "DINE-Private-DNS-Azure-Storage-Table": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageTablePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-Table-Secondary": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, "DINE-Private-DNS-Azure-Synapse-Dev": { "parameters": { "privateDnsZoneId": { @@ -549,6 +644,32 @@ } } }, + "DINE-Private-DNS-Azure-VirtualDesktopHostpool": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "connection" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-VirtualDesktopWorkspace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "feed" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, "DINE-Private-DNS-Azure-Web": { "parameters": { "privateDnsZoneId": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json index 5f45bbeb9..295bdc686 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json @@ -5,12 +5,14 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deploy SQL Database built-in SQL security configuration", - "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "displayName": "[Deprecated]: Deploy SQL Database built-in SQL security configuration", + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-Sql-Security_20240529", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.json new file mode 100644 index 000000000..c215cb374 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.json @@ -0,0 +1,135 @@ +{ + "name": "Deploy-Sql-Security_20240529", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy SQL Database built-in SQL security configuration", + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-Sql-Security", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + }, + "type": "Array" + }, + "vulnerabilityAssessmentsStorageID": { + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + }, + "type": "String" + }, + "SqlDbTdeDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment" + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration" + } + }, + "SqlDbAuditingSettingsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment" + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.parameters.json new file mode 100644 index 000000000..d954e7bce --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.parameters.json @@ -0,0 +1,36 @@ +{ + "SqlDbAuditingSettingsDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbTdeDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json new file mode 100644 index 000000000..926070f11 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json @@ -0,0 +1,134 @@ +{ + "name": "Enforce-Backup", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce enhanced recovery and backup policies", + "description": "Enforce enhanced recovery and backup policies on assigned scopes.", + "metadata": { + "version": "1.0.0", + "category": "Backup", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "checkLockedImmutabilityOnly": { + "type": "Boolean", + "metadata": { + "displayName": "checkLockedImmutabilityOnly", + "description": "This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "checkAlwaysOnSoftDeleteOnly": { + "type": "Boolean", + "metadata": { + "displayName": "CheckAlwaysOnSoftDeleteOnly", + "description": "This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "BackupBVault-Immutability", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "CheckLockedImmutabiltyOnly": { + "value": "[[parameters('checkLockedImmutabilityOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupRVault-Immutability", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkLockedImmutabilityOnly": { + "value": "[[parameters('checkLockedImmutabilityOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupBVault-SoftDelete", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkAlwaysOnSoftDeleteOnly": { + "value": "[[parameters('checkAlwaysOnSoftDeleteOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupRVault-SoftDelete", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkAlwaysOnSoftDeleteOnly": { + "value": "[[parameters('checkAlwaysOnSoftDeleteOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupBVault-MUA", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupRVault-MUA", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json new file mode 100644 index 000000000..309234ee1 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json @@ -0,0 +1,56 @@ +{ + "BackupBVault-Immutability": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "CheckLockedImmutabiltyOnly": { + "value": "[[parameters('checkLockedImmutabilityOnly')]" + } + } + }, + "BackupBVault-MUA": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "BackupBVault-SoftDelete": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkAlwaysOnSoftDeleteOnly": { + "value": "[[parameters('checkAlwaysOnSoftDeleteOnly')]" + } + } + }, + "BackupRVault-Immutability": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkLockedImmutabilityOnly": { + "value": "[[parameters('checkLockedImmutabilityOnly')]" + } + } + }, + "BackupRVault-MUA": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "BackupRVault-SoftDelete": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkAlwaysOnSoftDeleteOnly": { + "value": "[[parameters('checkAlwaysOnSoftDeleteOnly')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json index 4b9f1d58a..12f0f0d97 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json @@ -5,12 +5,14 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "displayName": "[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html", "metadata": { - "version": "2.1.0", + "version": "2.1.0-deprecated", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Enforce-EncryptTransit_20240509", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.json new file mode 100644 index 000000000..00e4fdefe --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.json @@ -0,0 +1,937 @@ +{ + "name": "Enforce-EncryptTransit_20240509", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "metadata": { + "version": "1.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Enforce-EncryptTransit", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionAppTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Configure Function apps to use the latest TLS version.", + "description": "App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." + }, + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "LogicAppTlsEffect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "logicAppHttpsEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubMinTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedTlsVersion": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlDbTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "parameters": { + "effect": { + "value": "[[parameters('FunctionAppTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "parameters": { + "effect": { + "value": "[[parameters('LogicAppTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", + "parameters": { + "effect": { + "value": "[[parameters('logicAppHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "parameters": { + "effect": { + "value": "[[parameters('appServiceTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FunctionApp-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "parameters": { + "effect": { + "value": "[[parameters('functionAppHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerApps-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[[parameters('containerAppsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-MINTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS", + "parameters": { + "effect": { + "value": "[[parameters('eventHubMinTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "parameters": { + "effect": { + "value": "[[parameters('sqlDbTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "parameters": { + "effect": { + "value": "[[parameters('synapseTlsVersion')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.parameters.json new file mode 100644 index 000000000..5b9f5b4ef --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.parameters.json @@ -0,0 +1,304 @@ +{ + "AKSIngressHttpsOnlyEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + } + }, + "APIAppServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + } + }, + "AppServiceHttpEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + } + }, + "AppServiceminTlsVersion": { + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + } + }, + "ContainerAppsHttpsOnlyEffect": { + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" + } + } + }, + "Deny-AppService-Apps-Https": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsHttps')]" + } + } + }, + "Deny-AppService-Slots-Https": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsHttps')]" + } + } + }, + "Deny-AppService-Tls": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceTls')]" + } + } + }, + "Deny-ContainerApps-Https": { + "parameters": { + "effect": { + "value": "[[parameters('containerAppsHttps')]" + } + } + }, + "Deny-EH-MINTLS": { + "parameters": { + "effect": { + "value": "[[parameters('eventHubMinTls')]" + } + } + }, + "Deny-FuncAppSlots-Https": { + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsHttps')]" + } + } + }, + "Deny-FunctionApp-Https": { + "parameters": { + "effect": { + "value": "[[parameters('functionAppHttps')]" + } + } + }, + "Deny-LogicApp-Without-Https": { + "parameters": { + "effect": { + "value": "[[parameters('logicAppHttpsEffect')]" + } + } + }, + "Deny-Sql-Db-Tls": { + "parameters": { + "effect": { + "value": "[[parameters('sqlDbTls')]" + } + } + }, + "Deny-Sql-Managed-Tls-Version": { + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedTlsVersion')]" + } + } + }, + "Deny-Storage-Tls": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsTls')]" + } + } + }, + "Deny-Synapse-Tls-Version": { + "parameters": { + "effect": { + "value": "[[parameters('synapseTlsVersion')]" + } + } + }, + "Deploy-LogicApp-TLS": { + "parameters": { + "effect": { + "value": "[[parameters('LogicAppTlsEffect')]" + } + } + }, + "Dine-AppService-Apps-Tls": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsTls')]" + } + } + }, + "DINE-AppService-AppSlotTls": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotTls')]" + } + } + }, + "Dine-Function-Apps-Slots-Tls": { + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsTls')]" + } + } + }, + "Dine-FunctionApp-Tls": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionAppTlsEffect')]" + } + } + }, + "FunctionLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + } + }, + "FunctionServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + } + }, + "MySQLEnableSSLDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + "MySQLEnableSSLEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + "PostgreSQLEnableSSLEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + "RedisDenyhttps": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + "RedisdisableNonSslPort": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + } + }, + "RedisTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + "SQLManagedInstanceTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + "SQLManagedInstanceTLSEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + "SQLServerTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + "SQLServerTLSEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + "StorageDeployHttpsEnabledEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + }, + "WebAppServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + } + }, + "WebAppServiceLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json index de1ef45b4..cbe71336a 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "2.0.0", + "version": "3.0.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -22,7 +22,7 @@ "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." }, "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -35,7 +35,7 @@ "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." }, "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -44,7 +44,7 @@ }, "WorkspaceCMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -57,7 +57,7 @@ }, "CognitiveServicesCMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -70,7 +70,7 @@ }, "CosmosCMKEffect": { "type": "String", - "defaultValue": "audit", + "defaultValue": "deny", "allowedValues": [ "audit", "deny", @@ -83,7 +83,7 @@ }, "DataBoxCMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -96,7 +96,7 @@ }, "StreamAnalyticsCMKEffect": { "type": "String", - "defaultValue": "audit", + "defaultValue": "deny", "allowedValues": [ "audit", "deny", @@ -109,7 +109,7 @@ }, "SynapseWorkspaceCMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -158,7 +158,7 @@ }, "SqlServerTDECMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -183,7 +183,7 @@ }, "AzureBatchCMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -205,6 +205,130 @@ "displayName": "Disk encryption should be applied on virtual machines", "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." } + }, + "AutomationAccountCmkEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "BackupCmkEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveSearchCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "osAndDataDiskCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerInstanceCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesCmk": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "eventHubPremiumCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDenyCmk": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlManagedCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageTableCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsEncryptionCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageQueueCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] } }, "policyDefinitions": [ @@ -357,6 +481,146 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aa-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", + "parameters": { + "effect": { + "value": "[[parameters('AutomationAccountCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Backup-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", + "parameters": { + "effect": { + "value": "[[parameters('BackupCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-CognitiveSearch-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", + "parameters": { + "effect": { + "value": "[[parameters('osAndDataDiskCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerInstance-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ADX-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", + "parameters": { + "effect": { + "value": "[[parameters('adxCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", + "parameters": { + "effect": { + "value": "[[parameters('adfCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec", + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-Premium-CMK", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK", + "parameters": { + "effect": { + "value": "[[parameters('eventHubPremiumCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sb-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a", + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDenyCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Table-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688", + "parameters": { + "effect": { + "value": "[[parameters('storageTableCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsEncryptionCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Queue-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef", + "parameters": { + "effect": { + "value": "[[parameters('storageQueueCmk')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json index 343d3d546..bb398c41e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json @@ -41,6 +41,104 @@ } } }, + "Deny-Aa-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('AutomationAccountCmkEffect')]" + } + } + }, + "Deny-Adf-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('adfCmk')]" + } + } + }, + "Deny-ADX-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('adxCmk')]" + } + } + }, + "Deny-Backup-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('BackupCmkEffect')]" + } + } + }, + "Deny-CognitiveSearch-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchCmk')]" + } + } + }, + "Deny-ContainerInstance-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceCmk')]" + } + } + }, + "Deny-EH-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesCmk')]" + } + } + }, + "Deny-EH-Premium-CMK": { + "parameters": { + "effect": { + "value": "[[parameters('eventHubPremiumCmk')]" + } + } + }, + "Deny-OsAndDataDisk-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('osAndDataDiskCmk')]" + } + } + }, + "Deny-Sb-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDenyCmk')]" + } + } + }, + "Deny-Sql-Managed-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedCmk')]" + } + } + }, + "Deny-Storage-Encryption-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsEncryptionCmk')]" + } + } + }, + "Deny-Storage-Queue-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('storageQueueCmk')]" + } + } + }, + "Deny-Storage-Table-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('storageTableCmk')]" + } + } + }, "EncryptedVMDisksEffect": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.json new file mode 100644 index 000000000..b412c27b4 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.json @@ -0,0 +1,234 @@ +{ + "name": "Enforce-Guardrails-APIM", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for API Management", + "description": "This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "API Management", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "apiSubscriptionScope": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "minimumApiVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimSkuVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "apimApiBackendCertValidation": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimDirectApiEndpoint": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimCallApiAuthn": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimEncryptedProtocols": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimVnetUsage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimSecrets": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Apim-without-Kv", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", + "parameters": { + "effect": { + "value": "[[parameters('apimSecrets')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-without-Vnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", + "parameters": { + "effect": { + "value": "[[parameters('apimVnetUsage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-APIM-TLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS", + "parameters": { + "effect": { + "value": "[[parameters('apimTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Protocols", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4", + "parameters": { + "effect": { + "value": "[[parameters('apimEncryptedProtocols')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Authn", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54", + "parameters": { + "effect": { + "value": "[[parameters('apimCallApiAuthn')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Direct-Endpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4", + "parameters": { + "effect": { + "value": "[[parameters('apimDirectApiEndpoint')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Cert-Validation", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4", + "parameters": { + "effect": { + "value": "[[parameters('apimApiBackendCertValidation')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Apim-Public-NetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2", + "parameters": { + "effect": { + "value": "[[parameters('apimDisablePublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Sku-Vnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5", + "parameters": { + "effect": { + "value": "[[parameters('apimSkuVnet')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67", + "parameters": { + "effect": { + "value": "[[parameters('minimumApiVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Api-subscription-scope", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1", + "parameters": { + "effect": { + "value": "[[parameters('apiSubscriptionScope')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.parameters.json new file mode 100644 index 000000000..a46d91043 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.parameters.json @@ -0,0 +1,79 @@ +{ + "Deny-Api-subscription-scope": { + "parameters": { + "effect": { + "value": "[[parameters('apiSubscriptionScope')]" + } + } + }, + "Deny-Apim-Authn": { + "parameters": { + "effect": { + "value": "[[parameters('apimCallApiAuthn')]" + } + } + }, + "Deny-Apim-Cert-Validation": { + "parameters": { + "effect": { + "value": "[[parameters('apimApiBackendCertValidation')]" + } + } + }, + "Deny-Apim-Direct-Endpoint": { + "parameters": { + "effect": { + "value": "[[parameters('apimDirectApiEndpoint')]" + } + } + }, + "Deny-Apim-Protocols": { + "parameters": { + "effect": { + "value": "[[parameters('apimEncryptedProtocols')]" + } + } + }, + "Deny-Apim-Sku-Vnet": { + "parameters": { + "effect": { + "value": "[[parameters('apimSkuVnet')]" + } + } + }, + "Deny-APIM-TLS": { + "parameters": { + "effect": { + "value": "[[parameters('apimTls')]" + } + } + }, + "Deny-Apim-Version": { + "parameters": { + "effect": { + "value": "[[parameters('minimumApiVersion')]" + } + } + }, + "Deny-Apim-without-Kv": { + "parameters": { + "effect": { + "value": "[[parameters('apimSecrets')]" + } + } + }, + "Deny-Apim-without-Vnet": { + "parameters": { + "effect": { + "value": "[[parameters('apimVnetUsage')]" + } + } + }, + "Dine-Apim-Public-NetworkAccess": { + "parameters": { + "effect": { + "value": "[[parameters('apimDisablePublicNetworkAccess')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.json new file mode 100644 index 000000000..14392505f --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.json @@ -0,0 +1,367 @@ +{ + "name": "Enforce-Guardrails-AppServices", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for App Service", + "description": "This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "functionAppDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceDisableLocalAuth": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceSkuPl": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceDisableLocalAuthFtp": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceRouting": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceScmAuth": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceRfc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsRfc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsVnetRouting": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceEnvLatestVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceByoc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppSlotsModifyHttps": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppHttps": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "functionAppSlotsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-AppService-Byoc", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC", + "parameters": { + "effect": { + "value": "[[parameters('appServiceByoc')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRemoteDebugging')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsRemoteDebugging')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Latest-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a", + "parameters": { + "effect": { + "value": "[[parameters('appServiceEnvLatestVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Vnet-Routing", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsVnetRouting')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Rfc", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1", + "parameters": { + "effect": { + "value": "[[parameters('appServiceRfc')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppServiceApps-Rfc", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRfc')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-FuncApp-Debugging", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb", + "parameters": { + "effect": { + "value": "[[parameters('functionAppDebugging')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-AppService-ScmAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79", + "parameters": { + "effect": { + "value": "[[parameters('appServiceScmAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppServ-Routing", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4", + "parameters": { + "effect": { + "value": "[[parameters('appServiceRouting')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppServ-FtpAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5", + "parameters": { + "effect": { + "value": "[[parameters('appServiceDisableLocalAuthFtp')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppServ-SkuPl", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5", + "parameters": { + "effect": { + "value": "[[parameters('appServiceSkuPl')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-AppService-LocalAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae", + "parameters": { + "effect": { + "value": "[[parameters('appServiceDisableLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-AppService-Debugging", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b", + "parameters": { + "effect": { + "value": "[[parameters('functionAppDebugging')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b", + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-AppService-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c", + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-AppService-Apps-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-AppService-App-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee", + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.parameters.json new file mode 100644 index 000000000..031c6bd40 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.parameters.json @@ -0,0 +1,135 @@ +{ + "Deny-AppServ-FtpAuth": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceDisableLocalAuthFtp')]" + } + } + }, + "Deny-AppServ-Routing": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceRouting')]" + } + } + }, + "Deny-AppServ-SkuPl": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceSkuPl')]" + } + } + }, + "Deny-AppService-Byoc": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceByoc')]" + } + } + }, + "Deny-AppService-Latest-Version": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceEnvLatestVersion')]" + } + } + }, + "Deny-AppService-Rfc": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceRfc')]" + } + } + }, + "Deny-AppService-Slots-Remote-Debugging": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsRemoteDebugging')]" + } + } + }, + "Deny-AppService-Vnet-Routing": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsVnetRouting')]" + } + } + }, + "Deny-AppServiceApps-Rfc": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRfc')]" + } + } + }, + "Dine-AppService-Apps-Remote-Debugging": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRemoteDebugging')]" + } + } + }, + "DINE-AppService-Debugging": { + "parameters": { + "effect": { + "value": "[[parameters('functionAppDebugging')]" + } + } + }, + "DINE-AppService-LocalAuth": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceDisableLocalAuth')]" + } + } + }, + "DINE-AppService-ScmAuth": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceScmAuth')]" + } + } + }, + "DINE-FuncApp-Debugging": { + "parameters": { + "effect": { + "value": "[[parameters('functionAppDebugging')]" + } + } + }, + "Modify-AppService-App-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppModifyPublicNetworkAccess')]" + } + } + }, + "Modify-AppService-Apps-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsModifyPublicNetworkAccess')]" + } + } + }, + "Modify-AppService-Https": { + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppHttps')]" + } + } + }, + "Modify-Function-Apps-Slots-Https": { + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyHttps')]" + } + } + }, + "Modify-Function-Apps-Slots-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyPublicNetworkAccess')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.json new file mode 100644 index 000000000..3ff72e052 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.json @@ -0,0 +1,137 @@ +{ + "name": "Enforce-Guardrails-Automation", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Automation Account", + "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Automation", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "aaModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "aaVariablesEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaManagedIdentity": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "autoHotPatch": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Windows-Vm-HotPatch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc", + "parameters": { + "effect": { + "value": "[[parameters('autoHotPatch')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0", + "parameters": { + "effect": { + "value": "[[parameters('aaManagedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", + "parameters": { + "effect": { + "value": "[[parameters('aaLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "parameters": { + "effect": { + "value": "[[parameters('aaVariablesEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", + "parameters": { + "effect": { + "value": "[[parameters('aaModifyLocalAUth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", + "parameters": { + "effect": { + "value": "[[parameters('aaModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json new file mode 100644 index 000000000..1bc6a2f51 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json @@ -0,0 +1,44 @@ +{ + "Deny-Aa-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('aaLocalAuth')]" + } + } + }, + "Deny-Aa-Managed-Identity": { + "parameters": { + "effect": { + "value": "[[parameters('aaManagedIdentity')]" + } + } + }, + "Deny-Aa-Variables-Encrypt": { + "parameters": { + "effect": { + "value": "[[parameters('aaVariablesEncryption')]" + } + } + }, + "Deny-Windows-Vm-HotPatch": { + "parameters": { + "effect": { + "value": "[[parameters('autoHotPatch')]" + } + } + }, + "Modify-Aa-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('aaModifyLocalAUth')]" + } + } + }, + "Modify-Aa-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('aaModifyPublicNetworkAccess')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json new file mode 100644 index 000000000..e468d4919 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json @@ -0,0 +1,118 @@ +{ + "name": "Enforce-Guardrails-CognitiveServices", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Cognitive Services", + "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cognitiveSearchSku": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveSearchLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyCognitiveSearchLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyCognitiveSearchPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cognitiveServicesModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-CognitiveSearch-SKU", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchSku')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-CongitiveSearch-LocalAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-CogntiveSearch-LocalAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75", + "parameters": { + "effect": { + "value": "[[parameters('modifyCognitiveSearchLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-CogntiveSearch-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30", + "parameters": { + "effect": { + "value": "[[parameters('modifyCognitiveSearchPublicEndpoint')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json new file mode 100644 index 000000000..df234f43e --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json @@ -0,0 +1,37 @@ +{ + "Deny-CognitiveSearch-SKU": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchSku')]" + } + } + }, + "Deny-CongitiveSearch-LocalAuth": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchLocalAuth')]" + } + } + }, + "Modify-Cognitive-Services-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyPublicNetworkAccess')]" + } + } + }, + "Modify-CogntiveSearch-LocalAuth": { + "parameters": { + "effect": { + "value": "[[parameters('modifyCognitiveSearchLocalAuth')]" + } + } + }, + "Modify-CogntiveSearch-PublicEndpoint": { + "parameters": { + "effect": { + "value": "[[parameters('modifyCognitiveSearchPublicEndpoint')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.json new file mode 100644 index 000000000..5dda226f0 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.json @@ -0,0 +1,64 @@ +{ + "name": "Enforce-Guardrails-Compute", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Compute", + "description": "This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Compute", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "diskDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vmAndVmssEncryptionHost": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-VmAndVmss-Encryption-Host", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", + "parameters": { + "effect": { + "value": "[[parameters('vmAndVmssEncryptionHost')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Disk-Double-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", + "parameters": { + "effect": { + "value": "[[parameters('diskDoubleEncryption')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json new file mode 100644 index 000000000..88a10b95e --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json @@ -0,0 +1,16 @@ +{ + "Deny-Disk-Double-Encryption": { + "parameters": { + "effect": { + "value": "[[parameters('diskDoubleEncryption')]" + } + } + }, + "Deny-VmAndVmss-Encryption-Host": { + "parameters": { + "effect": { + "value": "[[parameters('vmAndVmssEncryptionHost')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.json new file mode 100644 index 000000000..e7627f471 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.json @@ -0,0 +1,64 @@ +{ + "name": "Enforce-Guardrails-ContainerApps", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Apps", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerAppsManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerAppsVnetInjection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-ContainerApp-Vnet-Injection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb", + "parameters": { + "effect": { + "value": "[[parameters('containerAppsVnetInjection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerApps-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7", + "parameters": { + "effect": { + "value": "[[parameters('containerAppsManagedIdentity')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.parameters.json new file mode 100644 index 000000000..e00bc789d --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.parameters.json @@ -0,0 +1,16 @@ +{ + "Deny-ContainerApp-Vnet-Injection": { + "parameters": { + "effect": { + "value": "[[parameters('containerAppsVnetInjection')]" + } + } + }, + "Deny-ContainerApps-Managed-Identity": { + "parameters": { + "effect": { + "value": "[[parameters('containerAppsManagedIdentity')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.json new file mode 100644 index 000000000..40eb49b9e --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.json @@ -0,0 +1,43 @@ +{ + "name": "Enforce-Guardrails-ContainerInstance", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Instance", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Instances", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerInstanceVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": { + "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceVnet')]" + } + }, + "groupNames": [] + }, + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.parameters.json new file mode 100644 index 000000000..954db3f23 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.parameters.json @@ -0,0 +1,9 @@ +{ + "Deny-ContainerInstance-Vnet": { + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceVnet')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.json new file mode 100644 index 000000000..1fe1ecf72 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.json @@ -0,0 +1,249 @@ +{ + "name": "Enforce-Guardrails-ContainerRegistry", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Registry", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Registry", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerRegistryUnrestrictedNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryRepositoryToken": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyRepositoryToken": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryExports": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryAnAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyAnAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistrySkuPrivateLink": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryArmAudience": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyArmAudience": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Repo-Token", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyRepositoryToken')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Arm-Audience", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryArmAudience')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Arm-Audience", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyArmAudience')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Sku-PrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistrySkuPrivateLink')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Anonymous-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyAnAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Anonymous-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryAnAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Exports", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryExports')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Repo-Token", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryRepositoryToken')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Unrestricted-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryUnrestrictedNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9", + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.parameters.json new file mode 100644 index 000000000..65bbe84cb --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.parameters.json @@ -0,0 +1,86 @@ +{ + "Deny-ContainerRegistry-Anonymous-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryAnAuth')]" + } + } + }, + "Deny-ContainerRegistry-Arm-Audience": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryArmAudience')]" + } + } + }, + "Deny-ContainerRegistry-Exports": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryExports')]" + } + } + }, + "Deny-ContainerRegistry-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryLocalAuth')]" + } + } + }, + "Deny-ContainerRegistry-Repo-Token": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryRepositoryToken')]" + } + } + }, + "Deny-ContainerRegistry-Sku-PrivateLink": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistrySkuPrivateLink')]" + } + } + }, + "Deny-ContainerRegistry-Unrestricted-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryUnrestrictedNetworkAccess')]" + } + } + }, + "Modify-ContainerRegistry-Anonymous-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyAnAuth')]" + } + } + }, + "Modify-ContainerRegistry-Arm-Audience": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyArmAudience')]" + } + } + }, + "Modify-ContainerRegistry-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyLocalAuth')]" + } + } + }, + "Modify-ContainerRegistry-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyPublicNetworkAccess')]" + } + } + }, + "Modify-ContainerRegistry-Repo-Token": { + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyRepositoryToken')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.json new file mode 100644 index 000000000..d0b947f96 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.json @@ -0,0 +1,124 @@ +{ + "name": "Enforce-Guardrails-CosmosDb", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Cosmos DB", + "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cosmos DB", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cosmosDbLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cosmosDbFwRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cosmosDbAtp": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "cosmosDbModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cosmosDbModifyPublicAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Modify-CosmosDb-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-CosmosDb-Atp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656", + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbAtp')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbFwRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-CosmosDb-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Append-CosmosDb-Metadata", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-CosmosDb-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088", + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyPublicAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.parameters.json new file mode 100644 index 000000000..732e0385b --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.parameters.json @@ -0,0 +1,40 @@ +{ + "Append-CosmosDb-Metadata": { + "parameters": {} + }, + "Deny-CosmosDb-Fw-Rules": { + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbFwRules')]" + } + } + }, + "Deny-CosmosDb-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbLocalAuth')]" + } + } + }, + "Dine-CosmosDb-Atp": { + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbAtp')]" + } + } + }, + "Modify-CosmosDb-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyLocalAuth')]" + } + } + }, + "Modify-CosmosDb-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyPublicAccess')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.json new file mode 100644 index 000000000..5fcdfc4e9 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-DataExplorer", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Data Explorer", + "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Azure Data Explorer", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "adxEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxSku": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-ADX-Sku-without-PL-Support", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b", + "parameters": { + "effect": { + "value": "[[parameters('adxSku')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ADX-Double-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1", + "parameters": { + "effect": { + "value": "[[parameters('adxDoubleEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ADX-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", + "parameters": { + "effect": { + "value": "[[parameters('adxEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ADX-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa", + "parameters": { + "effect": { + "value": "[[parameters('adxModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.parameters.json new file mode 100644 index 000000000..45a8872a8 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.parameters.json @@ -0,0 +1,30 @@ +{ + "Deny-ADX-Double-Encryption": { + "parameters": { + "effect": { + "value": "[[parameters('adxDoubleEncryption')]" + } + } + }, + "Deny-ADX-Encryption": { + "parameters": { + "effect": { + "value": "[[parameters('adxEncryption')]" + } + } + }, + "Deny-ADX-Sku-without-PL-Support": { + "parameters": { + "effect": { + "value": "[[parameters('adxSku')]" + } + } + }, + "Modify-ADX-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('adxModifyPublicNetworkAccess')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.json new file mode 100644 index 000000000..130aded41 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.json @@ -0,0 +1,120 @@ +{ + "name": "Enforce-Guardrails-DataFactory", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Data Factory", + "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Data Factory", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "adfSqlIntegration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfLinkedServiceKeyVault": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfGit": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Adf-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a", + "parameters": { + "effect": { + "value": "[[parameters('adfManagedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Git", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307", + "parameters": { + "effect": { + "value": "[[parameters('adfGit')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Linked-Service-Key-Vault", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0", + "parameters": { + "effect": { + "value": "[[parameters('adfLinkedServiceKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Sql-Integration", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952", + "parameters": { + "effect": { + "value": "[[parameters('adfSqlIntegration')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Adf-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7", + "parameters": { + "effect": { + "value": "[[parameters('adfModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.parameters.json new file mode 100644 index 000000000..cba67c431 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.parameters.json @@ -0,0 +1,37 @@ +{ + "Deny-Adf-Git": { + "parameters": { + "effect": { + "value": "[[parameters('adfGit')]" + } + } + }, + "Deny-Adf-Linked-Service-Key-Vault": { + "parameters": { + "effect": { + "value": "[[parameters('adfLinkedServiceKeyVault')]" + } + } + }, + "Deny-Adf-Managed-Identity": { + "parameters": { + "effect": { + "value": "[[parameters('adfManagedIdentity')]" + } + } + }, + "Deny-Adf-Sql-Integration": { + "parameters": { + "effect": { + "value": "[[parameters('adfSqlIntegration')]" + } + } + }, + "Modify-Adf-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('adfModifyPublicNetworkAccess')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.json new file mode 100644 index 000000000..d823b95ce --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.json @@ -0,0 +1,173 @@ +{ + "name": "Enforce-Guardrails-EventGrid", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Event Grid", + "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Event Grid", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "eventGridLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPartnerNamespaceLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPartnerNamespaceModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridTopicLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridTopicModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridDomainModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridDomainModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridTopicModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Modify-EventGrid-Partner-Namespace-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924", + "parameters": { + "effect": { + "value": "[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1", + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c", + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04", + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EventGrid-Partner-Namespace-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e", + "parameters": { + "effect": { + "value": "[[parameters('eventGridPartnerNamespaceLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EventGrid-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd", + "parameters": { + "effect": { + "value": "[[parameters('eventGridLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4", + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172", + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.parameters.json new file mode 100644 index 000000000..045b9ceae --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.parameters.json @@ -0,0 +1,58 @@ +{ + "Deny-EventGrid-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('eventGridLocalAuth')]" + } + } + }, + "Deny-EventGrid-Partner-Namespace-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('eventGridPartnerNamespaceLocalAuth')]" + } + } + }, + "Deny-EventGrid-Topic-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicLocalAuth')]" + } + } + }, + "Modify-EventGrid-Domain-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyLocalAuth')]" + } + } + }, + "Modify-EventGrid-Domain-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyPublicNetworkAccess')]" + } + } + }, + "Modify-EventGrid-Partner-Namespace-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]" + } + } + }, + "Modify-EventGrid-Topic-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyLocalAuth')]" + } + } + }, + "Modify-EventGrid-Topic-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyPublicNetworkAccess')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.json new file mode 100644 index 000000000..281bd150f --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-EventHub", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Event Hub", + "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "eventHubAuthRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventHubNamespacesDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-EH-Double-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c", + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesDoubleEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-EH-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d", + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598", + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-Auth-Rules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7", + "parameters": { + "effect": { + "value": "[[parameters('eventHubAuthRules')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.parameters.json new file mode 100644 index 000000000..8269b0f14 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.parameters.json @@ -0,0 +1,30 @@ +{ + "Deny-EH-Auth-Rules": { + "parameters": { + "effect": { + "value": "[[parameters('eventHubAuthRules')]" + } + } + }, + "Deny-EH-Double-Encryption": { + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesDoubleEncryption')]" + } + } + }, + "Deny-EH-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesLocalAuth')]" + } + } + }, + "Modify-EH-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesModifyLocalAuth')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.json new file mode 100644 index 000000000..5f3bb0d60 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.json @@ -0,0 +1,62 @@ +{ + "name": "Enforce-Guardrails-KeyVault-Sup", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce additional recommended guardrails for Key Vault", + "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "keyVaultManagedHsmDisablePublicNetworkModify": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "keyVaultModifyFw": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Modify-KV-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-KV-Fw", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultModifyFw')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.parameters.json new file mode 100644 index 000000000..793faa2d8 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.parameters.json @@ -0,0 +1,16 @@ +{ + "Modify-KV-Fw": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultModifyFw')]" + } + } + }, + "Modify-KV-PublicNetworkAccess": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json index 89c3e3007..7691b68e1 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Azure Key Vault", "description": "Enforce recommended guardrails for Azure Key Vault.", "metadata": { - "version": "1.0.0", + "version": "2.0.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -156,6 +156,292 @@ "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." }, "defaultValue": 90 + }, + "keyVaultCheckMinimumRSACertificateSize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultMinimumRSACertificateSizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultManagedHsmCheckMinimumRSAKeySize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultManagedHsmMinimumRSAKeySizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultCheckMinimumRSAKeySize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultMinimumRSAKeySizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultArmRbac": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHmsPurgeProtection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultCertificatesPeriod": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultCertValidPeriod": { + "type": "integer", + "defaultValue": 12 + }, + "keyVaultHmsKeysExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysValidPeriod": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsValidPeriod": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secretsValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keyVaultCertKeyTypes": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultEllipticCurve": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCryptographicType": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysActive": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keysCurveNames": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secretsActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsActive": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultSecretContentType": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultNonIntegratedCa": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultNonIntegratedCaValue": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "The common name of the certificate authority", + "description": "The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso" + } + }, + "keyVaultIntegratedCa": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultIntegratedCaValue": { + "type": "array", + "defaultValue": [ + "DigiCert", + "GlobalSign" + ] + }, + "keyVaultHsmMinimumDaysBeforeExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHsmMinimumDaysBeforeExpirationValue": { + "type": "integer", + "defaultValue": 90 + }, + "keyVaultHmsCurveNames": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHmsCurveNamesValue": { + "type": "array", + "defaultValue": [ + "P-256", + "P-256K", + "P-384", + "P-521" + ] + }, + "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue": { + "type": "integer", + "defaultValue": 90 } }, "policyDefinitions": [ @@ -250,6 +536,255 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinCertSize", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCheckMinimumRSACertificateSize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultMinimumRSACertificateSizeValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinKeySize", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultMinimumRSAKeySizeValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-without-ArmRbac", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultArmRbac')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Hms-PurgeProtection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsPurgeProtection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Cert-Period", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertificatesPeriod')]" + }, + "maximumValidityInMonths": { + "value": "[[parameters('keyVaultCertValidPeriod')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Hms-Key-Expire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsKeysExpiration')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Keys-Expire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9", + "parameters": { + "effect": { + "value": "[[parameters('keysValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysValidityInDays')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f", + "parameters": { + "effect": { + "value": "[[parameters('secretsValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsValidityInDays')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Key-Types", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertKeyTypes')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultEllipticCurve')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCryptographicType')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Key-Active", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9", + "parameters": { + "effect": { + "value": "[[parameters('keysActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysActiveInDays')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Curve-Names", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", + "parameters": { + "effect": { + "value": "[[parameters('keysCurveNames')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Secret-ActiveDays", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe", + "parameters": { + "effect": { + "value": "[[parameters('secretsActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsActiveInDays')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Secret-Content-Type", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultSecretContentType')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Non-Integrated-Ca", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultNonIntegratedCa')]" + }, + "caCommonName": { + "value": "[[parameters('keyVaultNonIntegratedCaValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Integrated-Ca", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultIntegratedCa')]" + }, + "allowedCAs": { + "value": "[[parameters('keyVaultIntegratedCaValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Hsm-MinimumDays-Before-Expiration", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Hsm-Curve-Names", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsCurveNames')]" + }, + "allowedECNames": { + "value": "[[parameters('keyVaultHmsCurveNamesValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427", + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]" + }, + "daysToExpire": { + "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json index d57fe5555..6b771252d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json @@ -1,4 +1,190 @@ { + "Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]" + } + } + }, + "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]" + }, + "daysToExpire": { + "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]" + } + } + }, + "Deny-KV-Cert-Period": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertificatesPeriod')]" + }, + "maximumValidityInMonths": { + "value": "[[parameters('keyVaultCertValidPeriod')]" + } + } + }, + "Deny-KV-Cryptographic-Type": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCryptographicType')]" + } + } + }, + "Deny-KV-Curve-Names": { + "parameters": { + "effect": { + "value": "[[parameters('keysCurveNames')]" + } + } + }, + "Deny-KV-Elliptic-Curve": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultEllipticCurve')]" + } + } + }, + "Deny-KV-Hms-Key-Expire": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsKeysExpiration')]" + } + } + }, + "Deny-KV-Hms-PurgeProtection": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsPurgeProtection')]" + } + } + }, + "Deny-Kv-Hsm-Curve-Names": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsCurveNames')]" + }, + "allowedECNames": { + "value": "[[parameters('keyVaultHmsCurveNamesValue')]" + } + } + }, + "Deny-Kv-Hsm-MinimumDays-Before-Expiration": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]" + } + } + }, + "Deny-Kv-Integrated-Ca": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultIntegratedCa')]" + }, + "allowedCAs": { + "value": "[[parameters('keyVaultIntegratedCaValue')]" + } + } + }, + "Deny-KV-Key-Active": { + "parameters": { + "effect": { + "value": "[[parameters('keysActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysActiveInDays')]" + } + } + }, + "Deny-KV-Key-Types": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertKeyTypes')]" + } + } + }, + "Deny-KV-Keys-Expire": { + "parameters": { + "effect": { + "value": "[[parameters('keysValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysValidityInDays')]" + } + } + }, + "Deny-Kv-Non-Integrated-Ca": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultNonIntegratedCa')]" + }, + "caCommonName": { + "value": "[[parameters('keyVaultNonIntegratedCaValue')]" + } + } + }, + "Deny-KV-RSA-Keys-without-MinCertSize": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCheckMinimumRSACertificateSize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultMinimumRSACertificateSizeValue')]" + } + } + }, + "Deny-KV-RSA-Keys-without-MinKeySize": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultMinimumRSAKeySizeValue')]" + } + } + }, + "Deny-KV-Secret-ActiveDays": { + "parameters": { + "effect": { + "value": "[[parameters('secretsActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsActiveInDays')]" + } + } + }, + "Deny-Kv-Secret-Content-Type": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultSecretContentType')]" + } + } + }, + "Deny-KV-Secrets-ValidityDays": { + "parameters": { + "effect": { + "value": "[[parameters('secretsValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsValidityInDays')]" + } + } + }, + "Deny-KV-without-ArmRbac": { + "parameters": { + "effect": { + "value": "[[parameters('keyVaultArmRbac')]" + } + } + }, "KvCertLifetime": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json new file mode 100644 index 000000000..9ea87816f --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json @@ -0,0 +1,326 @@ +{ + "name": "Enforce-Guardrails-Kubernetes", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Kubernetes", + "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Kubernetes", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "aksKms": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "aksCni": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "aksLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivateCluster": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPolicy": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksCommandInvoke": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksReadinessOrLivenessProbes": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivContainers": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivEscalation": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksAllowedCapabilities": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksTempDisk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksInternalLb": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksDefaultNamespace": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksNakedPods": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksShareHostProcessAndNamespace": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksWindowsContainerAdministrator": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Aks-Windows-Container-Administrator", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75", + "parameters": { + "effect": { + "value": "[[parameters('aksWindowsContainerAdministrator')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Shared-Host-Process-Namespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", + "parameters": { + "effect": { + "value": "[[parameters('aksShareHostProcessAndNamespace')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Naked-Pods", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581", + "parameters": { + "effect": { + "value": "[[parameters('aksNakedPods')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Default-Namespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", + "parameters": { + "effect": { + "value": "[[parameters('aksDefaultNamespace')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Internal-Lb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e", + "parameters": { + "effect": { + "value": "[[parameters('aksInternalLb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Temp-Disk-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c", + "parameters": { + "effect": { + "value": "[[parameters('aksTempDisk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Allowed-Capabilities", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", + "parameters": { + "effect": { + "value": "[[parameters('aksAllowedCapabilities')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Priv-Escalation", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "parameters": { + "effect": { + "value": "[[parameters('aksPrivEscalation')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Priv-Containers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "parameters": { + "effect": { + "value": "[[parameters('aksPrivContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-ReadinessOrLiveness-Probes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915", + "parameters": { + "effect": { + "value": "[[parameters('aksReadinessOrLivenessProbes')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Aks-Command-Invoke", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc", + "parameters": { + "effect": { + "value": "[[parameters('aksCommandInvoke')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Aks-Policy", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "parameters": { + "effect": { + "value": "[[parameters('aksPolicy')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Private-Cluster", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "parameters": { + "effect": { + "value": "[[parameters('aksPrivateCluster')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32", + "parameters": { + "effect": { + "value": "[[parameters('aksLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Kms", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008", + "parameters": { + "effect": { + "value": "[[parameters('aksKms')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Cni", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67", + "parameters": { + "effect": { + "value": "[[parameters('aksCni')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.parameters.json new file mode 100644 index 000000000..4433bbb45 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.parameters.json @@ -0,0 +1,114 @@ +{ + "Deny-Aks-Allowed-Capabilities": { + "parameters": { + "effect": { + "value": "[[parameters('aksAllowedCapabilities')]" + } + } + }, + "Deny-Aks-Cni": { + "parameters": { + "effect": { + "value": "[[parameters('aksCni')]" + } + } + }, + "Deny-Aks-Default-Namespace": { + "parameters": { + "effect": { + "value": "[[parameters('aksDefaultNamespace')]" + } + } + }, + "Deny-Aks-Internal-Lb": { + "parameters": { + "effect": { + "value": "[[parameters('aksInternalLb')]" + } + } + }, + "Deny-Aks-Kms": { + "parameters": { + "effect": { + "value": "[[parameters('aksKms')]" + } + } + }, + "Deny-Aks-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('aksLocalAuth')]" + } + } + }, + "Deny-Aks-Naked-Pods": { + "parameters": { + "effect": { + "value": "[[parameters('aksNakedPods')]" + } + } + }, + "Deny-Aks-Priv-Containers": { + "parameters": { + "effect": { + "value": "[[parameters('aksPrivContainers')]" + } + } + }, + "Deny-Aks-Priv-Escalation": { + "parameters": { + "effect": { + "value": "[[parameters('aksPrivEscalation')]" + } + } + }, + "Deny-Aks-Private-Cluster": { + "parameters": { + "effect": { + "value": "[[parameters('aksPrivateCluster')]" + } + } + }, + "Deny-Aks-ReadinessOrLiveness-Probes": { + "parameters": { + "effect": { + "value": "[[parameters('aksReadinessOrLivenessProbes')]" + } + } + }, + "Deny-Aks-Shared-Host-Process-Namespace": { + "parameters": { + "effect": { + "value": "[[parameters('aksShareHostProcessAndNamespace')]" + } + } + }, + "Deny-Aks-Temp-Disk-Encryption": { + "parameters": { + "effect": { + "value": "[[parameters('aksTempDisk')]" + } + } + }, + "Deny-Aks-Windows-Container-Administrator": { + "parameters": { + "effect": { + "value": "[[parameters('aksWindowsContainerAdministrator')]" + } + } + }, + "Dine-Aks-Command-Invoke": { + "parameters": { + "effect": { + "value": "[[parameters('aksCommandInvoke')]" + } + } + }, + "Dine-Aks-Policy": { + "parameters": { + "effect": { + "value": "[[parameters('aksPolicy')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json new file mode 100644 index 000000000..e723eeebe --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json @@ -0,0 +1,118 @@ +{ + "name": "Enforce-Guardrails-MachineLearning", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Machine Learning", + "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "mlUserAssignedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "mlLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlOutdatedOS": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-ML-Outdated-Os", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2", + "parameters": { + "effects": { + "value": "[[parameters('mlOutdatedOS')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", + "parameters": { + "effect": { + "value": "[[parameters('mlLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ML-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512", + "parameters": { + "effect": { + "value": "[[parameters('mlModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-User-Assigned-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78", + "parameters": { + "effect": { + "value": "[[parameters('mlUserAssignedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ML-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f", + "parameters": { + "effect": { + "value": "[[parameters('mlModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json new file mode 100644 index 000000000..fb3ec82cd --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json @@ -0,0 +1,37 @@ +{ + "Deny-ML-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('mlLocalAuth')]" + } + } + }, + "Deny-ML-Outdated-Os": { + "parameters": { + "effects": { + "value": "[[parameters('mlOutdatedOS')]" + } + } + }, + "Deny-ML-User-Assigned-Identity": { + "parameters": { + "effect": { + "value": "[[parameters('mlUserAssignedIdentity')]" + } + } + }, + "Modify-ML-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('mlModifyLocalAuth')]" + } + } + }, + "Modify-ML-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('mlModifyPublicNetworkAccess')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.json new file mode 100644 index 000000000..ac1d42ff5 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.json @@ -0,0 +1,63 @@ +{ + "name": "Enforce-Guardrails-MySQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for MySQL", + "description": "This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "MySQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "mySqlInfraEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mySqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Dine-MySql-Adv-Threat-Protection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816", + "parameters": { + "effect": { + "value": "[[parameters('mySqlAdvThreatProtection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-MySql-Infra-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4", + "parameters": { + "effect": { + "value": "[[parameters('mySqlInfraEncryption')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.parameters.json new file mode 100644 index 000000000..42fb85658 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.parameters.json @@ -0,0 +1,16 @@ +{ + "Deny-MySql-Infra-Encryption": { + "parameters": { + "effect": { + "value": "[[parameters('mySqlInfraEncryption')]" + } + } + }, + "Dine-MySql-Adv-Threat-Protection": { + "parameters": { + "effect": { + "value": "[[parameters('mySqlAdvThreatProtection')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json new file mode 100644 index 000000000..2df0dfd65 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json @@ -0,0 +1,525 @@ +{ + "name": "Enforce-Guardrails-Network", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Network and Networking services", + "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "subnetUdr": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "subnetNsg": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "subnetServiceEndpoint": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appGwWaf": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vnetModifyDdos": { + "type": "string", + "defaultValue": "Modify" + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "wafMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "wafFwRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeAppGw": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeAppGwRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "denyMgmtFromInternet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "denyMgmtFromInternetPorts": { + "type": "Array", + "metadata": { + "displayName": "Ports", + "description": "Ports to be blocked" + }, + "defaultValue": [ + "22", + "3389" + ] + }, + "afwEnbaleTlsForAllAppRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableTlsInspection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEmptyIDPSBypassList": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableAllIDPSSignatureRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableIDPS": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafAfdEnabled": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vpnAzureAD": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appGwTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyUdr": { + "type": "string", + "defaultValue": "Disabled" + }, + "modifyUdrNextHopIpAddress": { + "type": "string", + "defaultValue": "" + }, + "modifyUdrNextHopType": { + "type": "string", + "defaultValue": "None" + }, + "modifyUdrAddressPrefix": { + "type": "string", + "defaultValue": "0.0.0.0/0" + }, + "modifyNsg": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyNsgRuleName": { + "type": "string", + "defaultValue": "DenyAnyInternetOutbound" + }, + "modifyNsgRulePriority": { + "type": "integer", + "defaultValue": 1000 + }, + "modifyNsgRuleDirection": { + "type": "string", + "defaultValue": "Outbound" + }, + "modifyNsgRuleAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyNsgRuleProtocol": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleSourceAddressPrefix": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleSourcePortRange": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleDestinationAddressPrefix": { + "type": "string", + "defaultValue": "Internet" + }, + "modifyNsgRuleDestinationPortRange": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleDescription": { + "type": "string", + "defaultValue": "Deny any outbound traffic to the Internet" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-VPN-AzureAD", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", + "parameters": { + "effect": { + "value": "[[parameters('vpnAzureAD')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "parameters": { + "effect": { + "value": "[[parameters('wafAfdEnabled')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Waf-IDPS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", + "parameters": { + "effect": { + "value": "[[parameters('afwEnableIDPS')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", + "parameters": { + "effect": { + "value": "[[parameters('afwEnableAllIDPSSignatureRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", + "parameters": { + "effect": { + "value": "[[parameters('afwEmptyIDPSBypassList')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", + "parameters": { + "effect": { + "value": "[[parameters('afwEnableTlsInspection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", + "parameters": { + "effect": { + "value": "[[parameters('afwEnbaleTlsForAllAppRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", + "parameters": { + "effect": { + "value": "[[parameters('wafModeAppGw')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeAppGwRequirement')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", + "parameters": { + "effect": { + "value": "[[parameters('wafFwRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Waf-mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", + "parameters": { + "effect": { + "value": "[[parameters('wafMode')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeRequirement')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-vNet-DDoS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "parameters": { + "effect": { + "value": "[[parameters('vnetModifyDdos')]" + }, + "ddosPlan": { + "value": "[[parameters('ddosPlanResourceId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Ip-Forwarding", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-vNic-Pip", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "parameters": { + "effect": { + "value": "[[parameters('appGwWaf')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Subnet-Without-UDR", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-UDR", + "parameters": { + "effect": { + "value": "[[parameters('subnetUdr')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "parameters": { + "effect": { + "value": "[[parameters('subnetNsg')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints", + "parameters": { + "effect": { + "value": "[[parameters('subnetServiceEndpoint')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Mgmt-From-Internet", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", + "parameters": { + "effect": { + "value": "[[parameters('denyMgmtFromInternet')]" + }, + "ports": { + "value": "[[parameters('denyMgmtFromInternetPorts')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppGw-Without-Tls", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls", + "parameters": { + "effect": { + "value": "[[parameters('appGwTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Udr", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR", + "parameters": { + "effect": { + "value": "[[parameters('modifyUdr')]" + }, + "nextHopIpAddress": { + "value": "[[parameters('modifyUdrNextHopIpAddress')]" + }, + "nextHopType": { + "value": "[[parameters('modifyUdrNextHopType')]" + }, + "addressPrefix": { + "value": "[[parameters('modifyUdrAddressPrefix')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Nsg", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG", + "parameters": { + "effect": { + "value": "[[parameters('modifyNsg')]" + }, + "nsgRuleName": { + "value": "[[parameters('modifyNsgRuleName')]" + }, + "nsgRulePriority": { + "value": "[[parameters('modifyNsgRulePriority')]" + }, + "nsgRuleDirection": { + "value": "[[parameters('modifyNsgRuleDirection')]" + }, + "nsgRuleAccess": { + "value": "[[parameters('modifyNsgRuleAccess')]" + }, + "nsgRuleProtocol": { + "value": "[[parameters('modifyNsgRuleProtocol')]" + }, + "nsgRuleSourceAddressPrefix": { + "value": "[[parameters('modifyNsgRuleSourceAddressPrefix')]" + }, + "nsgRuleSourcePortRange": { + "value": "[[parameters('modifyNsgRuleSourcePortRange')]" + }, + "nsgRuleDestinationAddressPrefix": { + "value": "[[parameters('modifyNsgRuleDestinationAddressPrefix')]" + }, + "nsgRuleDestinationPortRange": { + "value": "[[parameters('modifyNsgRuleDestinationPortRange')]" + }, + "nsgRuleDescription": { + "value": "[[parameters('modifyNsgRuleDescription')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.parameters.json new file mode 100644 index 000000000..f885c5eea --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.parameters.json @@ -0,0 +1,195 @@ +{ + "Deny-AppGw-Without-Tls": { + "parameters": { + "effect": { + "value": "[[parameters('appGwTlsVersion')]" + } + } + }, + "Deny-AppGw-Without-Waf": { + "parameters": { + "effect": { + "value": "[[parameters('appGwWaf')]" + } + } + }, + "Deny-FW-AllIDPSS": { + "parameters": { + "effect": { + "value": "[[parameters('afwEnableAllIDPSSignatureRules')]" + } + } + }, + "Deny-FW-EmpIDPSBypass": { + "parameters": { + "effect": { + "value": "[[parameters('afwEmptyIDPSBypassList')]" + } + } + }, + "Deny-FW-TLS-AllApp": { + "parameters": { + "effect": { + "value": "[[parameters('afwEnbaleTlsForAllAppRules')]" + } + } + }, + "Deny-FW-TLS-Inspection": { + "parameters": { + "effect": { + "value": "[[parameters('afwEnableTlsInspection')]" + } + } + }, + "Deny-Ip-Forwarding": { + "parameters": {} + }, + "Deny-Mgmt-From-Internet": { + "parameters": { + "effect": { + "value": "[[parameters('denyMgmtFromInternet')]" + }, + "ports": { + "value": "[[parameters('denyMgmtFromInternetPorts')]" + } + } + }, + "Deny-Nsg-GW-subnet": { + "parameters": {} + }, + "Deny-Subnet-with-Service-Endpoints": { + "parameters": { + "effect": { + "value": "[[parameters('subnetServiceEndpoint')]" + } + } + }, + "Deny-Subnet-Without-NSG": { + "parameters": { + "effect": { + "value": "[[parameters('subnetNsg')]" + } + } + }, + "Deny-Subnet-Without-UDR": { + "parameters": { + "effect": { + "value": "[[parameters('subnetUdr')]" + } + } + }, + "Deny-vNic-Pip": { + "parameters": {} + }, + "Deny-VPN-AzureAD": { + "parameters": { + "effect": { + "value": "[[parameters('vpnAzureAD')]" + } + } + }, + "Deny-Waf-Afd-Enabled": { + "parameters": { + "effect": { + "value": "[[parameters('wafAfdEnabled')]" + } + } + }, + "Deny-Waf-AppGw-mode": { + "parameters": { + "effect": { + "value": "[[parameters('wafModeAppGw')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeAppGwRequirement')]" + } + } + }, + "Deny-Waf-Fw-rules": { + "parameters": { + "effect": { + "value": "[[parameters('wafFwRules')]" + } + } + }, + "Deny-Waf-IDPS": { + "parameters": { + "effect": { + "value": "[[parameters('afwEnableIDPS')]" + } + } + }, + "Deny-Waf-mode": { + "parameters": { + "effect": { + "value": "[[parameters('wafMode')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeRequirement')]" + } + } + }, + "Modify-Nsg": { + "parameters": { + "effect": { + "value": "[[parameters('modifyNsg')]" + }, + "nsgRuleName": { + "value": "[[parameters('modifyNsgRuleName')]" + }, + "nsgRulePriority": { + "value": "[[parameters('modifyNsgRulePriority')]" + }, + "nsgRuleDirection": { + "value": "[[parameters('modifyNsgRuleDirection')]" + }, + "nsgRuleAccess": { + "value": "[[parameters('modifyNsgRuleAccess')]" + }, + "nsgRuleProtocol": { + "value": "[[parameters('modifyNsgRuleProtocol')]" + }, + "nsgRuleSourceAddressPrefix": { + "value": "[[parameters('modifyNsgRuleSourceAddressPrefix')]" + }, + "nsgRuleSourcePortRange": { + "value": "[[parameters('modifyNsgRuleSourcePortRange')]" + }, + "nsgRuleDestinationAddressPrefix": { + "value": "[[parameters('modifyNsgRuleDestinationAddressPrefix')]" + }, + "nsgRuleDestinationPortRange": { + "value": "[[parameters('modifyNsgRuleDestinationPortRange')]" + }, + "nsgRuleDescription": { + "value": "[[parameters('modifyNsgRuleDescription')]" + } + } + }, + "Modify-Udr": { + "parameters": { + "effect": { + "value": "[[parameters('modifyUdr')]" + }, + "nextHopIpAddress": { + "value": "[[parameters('modifyUdrNextHopIpAddress')]" + }, + "nextHopType": { + "value": "[[parameters('modifyUdrNextHopType')]" + }, + "addressPrefix": { + "value": "[[parameters('modifyUdrAddressPrefix')]" + } + } + }, + "Modify-vNet-DDoS": { + "parameters": { + "effect": { + "value": "[[parameters('vnetModifyDdos')]" + }, + "ddosPlan": { + "value": "[[parameters('ddosPlanResourceId')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json new file mode 100644 index 000000000..34e8b5ce8 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json @@ -0,0 +1,139 @@ +{ + "name": "Enforce-Guardrails-OpenAI", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", + "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cognitiveServicesOutboundNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesNetworkAcls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesModifyDisableLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cognitiveServicesDisableLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesCustomerStorage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-OpenAi-OutboundNetworkAccess", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesOutboundNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-OpenAi-NetworkAcls", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAcls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesManagedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesDisableLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Cust-Storage", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCustomerStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyDisableLocalAuth')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json new file mode 100644 index 000000000..3281f8172 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json @@ -0,0 +1,44 @@ +{ + "Deny-Cognitive-Services-Cust-Storage": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCustomerStorage')]" + } + } + }, + "Deny-Cognitive-Services-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesDisableLocalAuth')]" + } + } + }, + "Deny-Cognitive-Services-Managed-Identity": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesManagedIdentity')]" + } + } + }, + "Deny-OpenAi-NetworkAcls": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAcls')]" + } + } + }, + "Deny-OpenAi-OutboundNetworkAccess": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesOutboundNetworkAccess')]" + } + } + }, + "Modify-Cognitive-Services-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyDisableLocalAuth')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.json new file mode 100644 index 000000000..8795c3acc --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.json @@ -0,0 +1,42 @@ +{ + "name": "Enforce-Guardrails-PostgreSQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for PostgreSQL", + "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "postgreSqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + } + }, + "policyDefinitions": { + "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlAdvThreatProtection')]" + } + }, + "groupNames": [] + }, + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.parameters.json new file mode 100644 index 000000000..dac08e677 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.parameters.json @@ -0,0 +1,9 @@ +{ + "Dine-PostgreSql-Adv-Threat-Protection": { + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlAdvThreatProtection')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.json new file mode 100644 index 000000000..857ae7665 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.json @@ -0,0 +1,106 @@ +{ + "name": "Enforce-Guardrails-SQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for SQL and SQL Managed Instance", + "description": "This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "sqlManagedAadOnly": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlAadOnly": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "modifySqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Dine-Sql-Managed-Defender", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd", + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedDefender')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Aad-Only", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", + "parameters": { + "effect": { + "value": "[[parameters('sqlAadOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Aad-Only", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedAadOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Sql-Adv-Data", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Sql-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b", + "parameters": { + "effect": { + "value": "[[parameters('modifySqlPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.parameters.json new file mode 100644 index 000000000..626e975c8 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.parameters.json @@ -0,0 +1,33 @@ +{ + "Deny-Sql-Aad-Only": { + "parameters": { + "effect": { + "value": "[[parameters('sqlAadOnly')]" + } + } + }, + "Deny-Sql-Managed-Aad-Only": { + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedAadOnly')]" + } + } + }, + "Dine-Sql-Adv-Data": { + "parameters": {} + }, + "Dine-Sql-Managed-Defender": { + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedDefender')]" + } + } + }, + "Modify-Sql-PublicNetworkAccess": { + "parameters": { + "effect": { + "value": "[[parameters('modifySqlPublicNetworkAccess')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.json new file mode 100644 index 000000000..7582604ae --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-ServiceBus", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Service Bus", + "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Service Bus", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "serviceBusModifyDisableLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "serviceBusDenyDisabledLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusAuthzRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Sb-Authz-Rules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", + "parameters": { + "effect": { + "value": "[[parameters('serviceBusAuthzRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sb-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b", + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDoubleEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sb-LocalAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af", + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDenyDisabledLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Sb-LocalAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e", + "parameters": { + "effect": { + "value": "[[parameters('serviceBusModifyDisableLocalAuth')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.parameters.json new file mode 100644 index 000000000..6f07aa36a --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.parameters.json @@ -0,0 +1,30 @@ +{ + "Deny-Sb-Authz-Rules": { + "parameters": { + "effect": { + "value": "[[parameters('serviceBusAuthzRules')]" + } + } + }, + "Deny-Sb-Encryption": { + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDoubleEncryption')]" + } + } + }, + "Deny-Sb-LocalAuth": { + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDenyDisabledLocalAuth')]" + } + } + }, + "Modify-Sb-LocalAuth": { + "parameters": { + "effect": { + "value": "[[parameters('serviceBusModifyDisableLocalAuth')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.json new file mode 100644 index 000000000..17ceff63c --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.json @@ -0,0 +1,463 @@ +{ + "name": "Enforce-Guardrails-Storage", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Storage Account", + "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "storageKeysExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountRestrictNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "storageClassicToArm": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsInfraEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountSharedKey": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsCrossTenant": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsCopyScope": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsAllowedCopyScope": { + "type": "string", + "defaultValue": "AAD" + }, + "storageServicesEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageLocalUser": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageSftp": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageNetworkAclsBypass": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAllowedNetworkAclsBypass": { + "type": "array", + "defaultValue": [ + "None" + ] + }, + "storageResourceAccessRulesTenantId": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageResourceAccessRulesResourceId": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageNetworkAclsVirtualNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageContainerDeleteRetentionPolicy": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageMinContainerDeleteRetentionInDays": { + "type": "Integer", + "defaultValue": 7 + }, + "storageCorsRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyStorageFileSyncPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyStorageAccountPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "storageAccountsModifyDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Storage-CopyScope", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsCopyScope')]" + }, + "allowedCopyScope": { + "value": "[[parameters('storageAccountsAllowedCopyScope')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption", + "parameters": { + "effect": { + "value": "[[parameters('storageServicesEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-LocalUser", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser", + "parameters": { + "effect": { + "value": "[[parameters('storageLocalUser')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Sftp", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-Sftp", + "parameters": { + "effect": { + "value": "[[parameters('storageSftp')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass", + "parameters": { + "effect": { + "value": "[[parameters('storageNetworkAclsBypass')]" + }, + "allowedBypassOptions": { + "value": "[[parameters('storageAllowedNetworkAclsBypass')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId", + "parameters": { + "effect": { + "value": "[[parameters('storageResourceAccessRulesTenantId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId", + "parameters": { + "effect": { + "value": "[[parameters('storageResourceAccessRulesResourceId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules", + "parameters": { + "effect": { + "value": "[[parameters('storageNetworkAclsVirtualNetworkRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy", + "parameters": { + "effect": { + "value": "[[parameters('storageContainerDeleteRetentionPolicy')]" + }, + "minContainerDeleteRetentionInDays": { + "value": "[[parameters('storageMinContainerDeleteRetentionInDays')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-CorsRules", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules", + "parameters": { + "effect": { + "value": "[[parameters('storageCorsRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsDoubleEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsCrossTenant')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Shared-Key", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountSharedKey')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsInfraEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Classic", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", + "parameters": { + "effect": { + "value": "[[parameters('storageClassicToArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Storage-Threat-Protection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c", + "parameters": { + "effect": { + "value": "[[parameters('storageThreatProtection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountRestrictNetworkRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-NetworkRules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountNetworkRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", + "parameters": { + "effect": { + "value": "[[parameters('storageKeysExpiration')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b", + "parameters": { + "effect": { + "value": "[[parameters('modifyStorageFileSyncPublicEndpoint')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", + "parameters": { + "effect": { + "value": "[[parameters('modifyStorageAccountPublicEndpoint')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d", + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.parameters.json new file mode 100644 index 000000000..cb19f3892 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.parameters.json @@ -0,0 +1,165 @@ +{ + "Deny-Storage-Account-Encryption": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsDoubleEncryption')]" + } + } + }, + "Deny-Storage-Account-Keys-Expire": { + "parameters": { + "effect": { + "value": "[[parameters('storageKeysExpiration')]" + } + } + }, + "Deny-Storage-Classic": { + "parameters": { + "effect": { + "value": "[[parameters('storageClassicToArm')]" + } + } + }, + "Deny-Storage-ContainerDeleteRetentionPolicy": { + "parameters": { + "effect": { + "value": "[[parameters('storageContainerDeleteRetentionPolicy')]" + }, + "minContainerDeleteRetentionInDays": { + "value": "[[parameters('storageMinContainerDeleteRetentionInDays')]" + } + } + }, + "Deny-Storage-CopyScope": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsCopyScope')]" + }, + "allowedCopyScope": { + "value": "[[parameters('storageAccountsAllowedCopyScope')]" + } + } + }, + "Deny-Storage-CorsRules": { + "parameters": { + "effect": { + "value": "[[parameters('storageCorsRules')]" + } + } + }, + "Deny-Storage-Cross-Tenant": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsCrossTenant')]" + } + } + }, + "Deny-Storage-Infra-Encryption": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsInfraEncryption')]" + } + } + }, + "Deny-Storage-LocalUser": { + "parameters": { + "effect": { + "value": "[[parameters('storageLocalUser')]" + } + } + }, + "Deny-Storage-NetworkAclsBypass": { + "parameters": { + "effect": { + "value": "[[parameters('storageNetworkAclsBypass')]" + }, + "allowedBypassOptions": { + "value": "[[parameters('storageAllowedNetworkAclsBypass')]" + } + } + }, + "Deny-Storage-NetworkAclsVirtualNetworkRules": { + "parameters": { + "effect": { + "value": "[[parameters('storageNetworkAclsVirtualNetworkRules')]" + } + } + }, + "Deny-Storage-NetworkRules": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountNetworkRules')]" + } + } + }, + "Deny-Storage-ResourceAccessRulesResourceId": { + "parameters": { + "effect": { + "value": "[[parameters('storageResourceAccessRulesResourceId')]" + } + } + }, + "Deny-Storage-ResourceAccessRulesTenantId": { + "parameters": { + "effect": { + "value": "[[parameters('storageResourceAccessRulesTenantId')]" + } + } + }, + "Deny-Storage-Restrict-NetworkRules": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountRestrictNetworkRules')]" + } + } + }, + "Deny-Storage-ServicesEncryption": { + "parameters": { + "effect": { + "value": "[[parameters('storageServicesEncryption')]" + } + } + }, + "Deny-Storage-Sftp": { + "parameters": { + "effect": { + "value": "[[parameters('storageSftp')]" + } + } + }, + "Deny-Storage-Shared-Key": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountSharedKey')]" + } + } + }, + "Dine-Storage-Threat-Protection": { + "parameters": { + "effect": { + "value": "[[parameters('storageThreatProtection')]" + } + } + }, + "Modify-Blob-Storage-Account-PublicEndpoint": { + "parameters": { + "effect": { + "value": "[[parameters('modifyStorageAccountPublicEndpoint')]" + } + } + }, + "Modify-Storage-Account-PublicEndpoint": { + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]" + } + } + }, + "Modify-Storage-FileSync-PublicEndpoint": { + "parameters": { + "effect": { + "value": "[[parameters('modifyStorageFileSyncPublicEndpoint')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json new file mode 100644 index 000000000..160708a26 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json @@ -0,0 +1,202 @@ +{ + "name": "Enforce-Guardrails-Synapse", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Synapse workspaces", + "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Synapse", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "synapseLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseManagedVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseDataTraffic": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTenants": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseAllowedTenantIds": { + "type": "array", + "defaultValue": [ + "[[subscription().tenantId]" + ] + }, + "synapseFwRules": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "synapseDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "synapseModifyTlsVersion": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "synapseModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Dine-Synapse-Defender", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6", + "parameters": { + "effect": { + "value": "[[parameters('synapseDefender')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Synapse-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c", + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Fw-Rules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8", + "parameters": { + "effect": { + "value": "[[parameters('synapseFwRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Tenant-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0", + "parameters": { + "effect": { + "value": "[[parameters('synapseTenants')]" + }, + "allowedTenantIds": { + "value": "[[parameters('synapseAllowedTenantIds')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Data-Traffic", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218", + "parameters": { + "effect": { + "value": "[[parameters('synapseDataTraffic')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Managed-Vnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650", + "parameters": { + "effect": { + "value": "[[parameters('synapseManagedVnet')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", + "parameters": { + "effect": { + "value": "[[parameters('synapseLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Synapse-Tls-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140", + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Synapse-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a", + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.parameters.json new file mode 100644 index 000000000..bedd39339 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.parameters.json @@ -0,0 +1,68 @@ +{ + "Deny-Synapse-Data-Traffic": { + "parameters": { + "effect": { + "value": "[[parameters('synapseDataTraffic')]" + } + } + }, + "Deny-Synapse-Fw-Rules": { + "parameters": { + "effect": { + "value": "[[parameters('synapseFwRules')]" + } + } + }, + "Deny-Synapse-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('synapseLocalAuth')]" + } + } + }, + "Deny-Synapse-Managed-Vnet": { + "parameters": { + "effect": { + "value": "[[parameters('synapseManagedVnet')]" + } + } + }, + "Deny-Synapse-Tenant-Access": { + "parameters": { + "effect": { + "value": "[[parameters('synapseTenants')]" + }, + "allowedTenantIds": { + "value": "[[parameters('synapseAllowedTenantIds')]" + } + } + }, + "Dine-Synapse-Defender": { + "parameters": { + "effect": { + "value": "[[parameters('synapseDefender')]" + } + } + }, + "Modify-Synapse-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyLocalAuth')]" + } + } + }, + "Modify-Synapse-Public-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyPublicNetworkAccess')]" + } + } + }, + "Modify-Synapse-Tls-Version": { + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyTlsVersion')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.json new file mode 100644 index 000000000..faa9fa8f9 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.json @@ -0,0 +1,62 @@ +{ + "name": "Enforce-Guardrails-VirtualDesktop", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Virtual Desktop", + "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "avdWorkspaceModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "avdHostPoolModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Modify-Workspace-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f", + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspaceModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Hostpool-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d", + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.parameters.json new file mode 100644 index 000000000..932234af2 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.parameters.json @@ -0,0 +1,16 @@ +{ + "Modify-Hostpool-PublicNetworkAccess": { + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolModifyPublicNetworkAccess')]" + } + } + }, + "Modify-Workspace-PublicNetworkAccess": { + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspaceModifyPublicNetworkAccess')]" + } + } + } +} From 09816fbd0a4ec04f96757a3d85d402755fd36c0d Mon Sep 17 00:00:00 2001 From: github-actions Date: Wed, 5 Jun 2024 08:01:40 +0000 Subject: [PATCH 09/50] Update Policy Library (automated) --- .../_policySetDefinitionsBicepInput.txt | 4 ++-- ...policy_set_definition_es_Deny-PublicPaaSEndpoints.json | 8 ++++---- ...definition_es_Deny-PublicPaaSEndpoints.parameters.json | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt index 1d2ddaace..30e478bb6 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt @@ -190,9 +190,9 @@ var varCustomPolicySetDefinitionsArray = [ definitionGroups: [] } { - definitionReferenceId: 'Deny-Graphana-PublicNetworkAccess' + definitionReferenceId: 'Deny-Grafana-PublicNetworkAccess' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Graphana-PublicNetworkAccess'].parameters + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Grafana-PublicNetworkAccess'].parameters definitionGroups: [] } { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json index 937bd11d9..09a0d916e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json @@ -8,7 +8,7 @@ "displayName": "Public network access should be disabled for PaaS services", "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", "metadata": { - "version": "5.0.0", + "version": "5.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -506,7 +506,7 @@ "Disabled" ] }, - "graphanaPublicNetworkAccess": { + "grafanaPublicNetworkAccess": { "type": "string", "defaultValue": "Deny", "allowedValues": [ @@ -958,11 +958,11 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "Deny-Graphana-PublicNetworkAccess", + "policyDefinitionReferenceId": "Deny-Grafana-PublicNetworkAccess", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628", "parameters": { "effect": { - "value": "[[parameters('graphanaPublicNetworkAccess')]" + "value": "[[parameters('grafanaPublicNetworkAccess')]" } }, "groupNames": [] diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json index 056f966fd..cf93ab603 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json @@ -160,10 +160,10 @@ } } }, - "Deny-Graphana-PublicNetworkAccess": { + "Deny-Grafana-PublicNetworkAccess": { "parameters": { "effect": { - "value": "[[parameters('graphanaPublicNetworkAccess')]" + "value": "[[parameters('grafanaPublicNetworkAccess')]" } } }, From 675a0d901b573c65e427a806034dfc050afce4c7 Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 6 Jun 2024 08:01:36 +0000 Subject: [PATCH 10/50] Update Policy Library (automated) --- .../_policyDefinitionsBicepInput.txt | 4 ++ ...inition_es_DenyAction-DeleteResources.json | 72 +++++++++++++++++++ .../_policySetDefinitionsBicepInput.txt | 18 ++--- ...on_es_Enforce-EncryptTransit_20240509.json | 4 +- ...ce-EncryptTransit_20240509.parameters.json | 2 +- ..._Enforce-Guardrails-ContainerInstance.json | 22 +++--- ...inition_es_Enforce-Guardrails-Network.json | 4 +- ...Enforce-Guardrails-Network.parameters.json | 2 +- ...tion_es_Enforce-Guardrails-PostgreSQL.json | 22 +++--- ...inition_es_Enforce-Guardrails-Storage.json | 4 +- ...Enforce-Guardrails-Storage.parameters.json | 2 +- 11 files changed, 118 insertions(+), 38 deletions(-) create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DeleteResources.json diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt index 4f9fecc3c..cc8d0a300 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt @@ -290,6 +290,10 @@ name: 'DenyAction-ActivityLogs' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json') } +{ + name: 'DenyAction-DeleteResources' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DeleteResources.json') +} { name: 'DenyAction-DiagnosticLogs' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json') diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DeleteResources.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DeleteResources.json new file mode 100644 index 000000000..c28daa545 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DeleteResources.json @@ -0,0 +1,72 @@ +{ + "name": "DenyAction-DeleteResources", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Do not allow deletion of specified resource and resource type", + "description": "This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.", + "metadata": { + "version": "1.0.0", + "category": "General", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "resourceName": { + "type": "String", + "metadata": { + "displayName": "Resource Name", + "description": "Provide the name of the resource that you want to protect from accidental deletion." + } + }, + "resourceType": { + "type": "String", + "metadata": { + "displayName": "Resource Type", + "description": "Provide the resource type that you want to protect from accidental deletion." + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DenyAction", + "Disabled" + ], + "defaultValue": "DenyAction" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "[parameters('resourceType')]" + }, + { + "field": "name", + "like": "[parameters('resourceName')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "actionNames": [ + "delete" + ] + } + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt index 30e478bb6..f70087457 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt @@ -1846,9 +1846,9 @@ var varCustomPolicySetDefinitionsArray = [ definitionGroups: [] } { - definitionReferenceId: 'Deny-EH-MINTLS' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-EH-MINTLS'].parameters + definitionReferenceId: 'Deny-EH-minTLS' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-EH-minTLS'].parameters definitionGroups: [] } { @@ -3172,9 +3172,9 @@ var varCustomPolicySetDefinitionsArray = [ definitionGroups: [] } { - definitionReferenceId: 'Deny-Subnet-Without-UDR' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-UDR' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Subnet-Without-UDR'].parameters + definitionReferenceId: 'Deny-Subnet-Without-Udr' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Subnet-Without-Udr'].parameters definitionGroups: [] } { @@ -3460,9 +3460,9 @@ var varCustomPolicySetDefinitionsArray = [ definitionGroups: [] } { - definitionReferenceId: 'Deny-Storage-Sftp' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-Sftp' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Sftp'].parameters + definitionReferenceId: 'Deny-Storage-SFTP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-SFTP'].parameters definitionGroups: [] } { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.json index 00e4fdefe..1b70b98b9 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.json @@ -882,8 +882,8 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "Deny-EH-MINTLS", - "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS", + "policyDefinitionReferenceId": "Deny-EH-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS", "parameters": { "effect": { "value": "[[parameters('eventHubMinTls')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.parameters.json index 5b9f5b4ef..c72426cc7 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.parameters.json @@ -65,7 +65,7 @@ } } }, - "Deny-EH-MINTLS": { + "Deny-EH-minTLS": { "parameters": { "effect": { "value": "[[parameters('eventHubMinTls')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.json index 40eb49b9e..5c54af455 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.json @@ -28,16 +28,18 @@ ] } }, - "policyDefinitions": { - "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", - "parameters": { - "effect": { - "value": "[[parameters('containerInstanceVnet')]" - } - }, - "groupNames": [] - }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceVnet')]" + } + }, + "groupNames": [] + } + ], "policyDefinitionGroups": null } } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json index 2df0dfd65..3ecf3e359 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json @@ -408,8 +408,8 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "Deny-Subnet-Without-UDR", - "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-UDR", + "policyDefinitionReferenceId": "Deny-Subnet-Without-Udr", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", "parameters": { "effect": { "value": "[[parameters('subnetUdr')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.parameters.json index f885c5eea..5e71095b9 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.parameters.json @@ -71,7 +71,7 @@ } } }, - "Deny-Subnet-Without-UDR": { + "Deny-Subnet-Without-Udr": { "parameters": { "effect": { "value": "[[parameters('subnetUdr')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.json index 8795c3acc..22963ce2a 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.json @@ -27,16 +27,18 @@ ] } }, - "policyDefinitions": { - "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", - "parameters": { - "effect": { - "value": "[[parameters('postgreSqlAdvThreatProtection')]" - } - }, - "groupNames": [] - }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlAdvThreatProtection')]" + } + }, + "groupNames": [] + } + ], "policyDefinitionGroups": null } } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.json index 17ceff63c..931f6fafe 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.json @@ -262,8 +262,8 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "Deny-Storage-Sftp", - "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-Sftp", + "policyDefinitionReferenceId": "Deny-Storage-SFTP", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP", "parameters": { "effect": { "value": "[[parameters('storageSftp')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.parameters.json index cb19f3892..f3d767d08 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.parameters.json @@ -120,7 +120,7 @@ } } }, - "Deny-Storage-Sftp": { + "Deny-Storage-SFTP": { "parameters": { "effect": { "value": "[[parameters('storageSftp')]" From e0d27c91d90e1aa7c9d6e22343f6c43bf45dbef4 Mon Sep 17 00:00:00 2001 From: github-actions Date: Tue, 11 Jun 2024 08:01:55 +0000 Subject: [PATCH 11/50] Update Policy Library (automated) --- ...nition_es_Deploy-ASC-SecurityContacts.json | 39 ++++++++----------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json index fc32cb2ba..55c20e2ce 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json @@ -9,7 +9,7 @@ "displayName": "Deploy Microsoft Defender for Cloud Security Contacts", "description": "Deploy Microsoft Defender for Cloud Security Contacts", "metadata": { - "version": "1.1.0", + "version": "2.0.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -20,14 +20,14 @@ }, "parameters": { "emailSecurityContact": { - "type": "string", + "type": "String", "metadata": { "displayName": "Security contacts email address", - "description": "Provide email address for Azure Security Center contact details" + "description": "Provide email addresses (semi-colon separated) for Defender for Cloud contact details" } }, "effect": { - "type": "string", + "type": "String", "defaultValue": "DeployIfNotExists", "allowedValues": [ "DeployIfNotExists", @@ -39,7 +39,7 @@ } }, "minimalSeverity": { - "type": "string", + "type": "String", "defaultValue": "High", "allowedValues": [ "High", @@ -77,20 +77,12 @@ "contains": "[parameters('emailSecurityContact')]" }, { - "field": "Microsoft.Security/securityContacts/alertNotifications.minimalSeverity", - "contains": "[parameters('minimalSeverity')]" - }, - { - "field": "type", - "equals": "Microsoft.Security/securityContacts" + "field": "Microsoft.Security/securityContacts/isEnabled", + "equals": true }, { - "field": "Microsoft.Security/securityContacts/alertNotifications", - "equals": "On" - }, - { - "field": "Microsoft.Security/securityContacts/alertsToAdmins", - "equals": "On" + "field": "Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity", + "contains": "[parameters('minimalSeverity')]" } ] }, @@ -128,19 +120,22 @@ { "type": "Microsoft.Security/securityContacts", "name": "default", - "apiVersion": "2020-01-01-preview", + "apiVersion": "2023-12-01-preview", "properties": { "emails": "[parameters('emailSecurityContact')]", + "isEnabled": true, "notificationsByRole": { "state": "On", "roles": [ "Owner" ] }, - "alertNotifications": { - "state": "On", - "minimalSeverity": "[parameters('minimalSeverity')]" - } + "notificationsSources": [ + { + "sourceType": "Alert", + "minimalSeverity": "[parameters('minimalSeverity')]" + } + ] } } ], From 8c5fb5161d65e8b7c778d73c62df26522d468421 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Sat, 15 Jun 2024 18:14:55 -0500 Subject: [PATCH 12/50] Update policy and policy set definition variables --- .../definitions/customPolicyDefinitions.bicep | 5235 ++++++++++++----- 1 file changed, 3741 insertions(+), 1494 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep index 5643d3401..a05faadfd 100644 --- a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -61,10 +61,22 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deny-AA-child-resources' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json') } + { + name: 'Deny-APIM-TLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-APIM-TLS.json') + } + { + name: 'Deny-AppGw-Without-Tls' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGw-Without-Tls.json') + } { name: 'Deny-AppGW-Without-WAF' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json') } + { + name: 'Deny-AppService-without-BYOC' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppService-without-BYOC.json') + } { name: 'Deny-AppServiceApiApp-http' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json') @@ -77,6 +89,22 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deny-AppServiceWebApp-http' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json') } + { + name: 'Deny-AzFw-Without-Policy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AzFw-Without-Policy.json') + } + { + name: 'Deny-CognitiveServices-NetworkAcls' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-NetworkAcls.json') + } + { + name: 'Deny-CognitiveServices-Resource-Kinds' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-Resource-Kinds.json') + } + { + name: 'Deny-CognitiveServices-RestrictOutboundNetworkAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-RestrictOutboundNetworkAccess.json') + } { name: 'Deny-Databricks-NoPublicIp' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json') @@ -89,6 +117,14 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deny-Databricks-VirtualNetwork' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json') } + { + name: 'Deny-EH-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json') + } + { + name: 'Deny-EH-Premium-CMK' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-Premium-CMK.json') + } { name: 'Deny-FileServices-InsecureAuth' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json') @@ -105,6 +141,14 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deny-FileServices-InsecureSmbVersions' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json') } + { + name: 'Deny-LogicApp-Public-Network' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApp-Public-Network.json') + } + { + name: 'Deny-LogicApps-Without-Https' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApps-Without-Https.json') + } { name: 'Deny-MachineLearning-Aks' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json') @@ -169,6 +213,10 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deny-Redis-http' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Redis-http.json') } + { + name: 'Deny-Service-Endpoints' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Service-Endpoints.json') + } { name: 'Deny-Sql-minTLS' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json') @@ -177,10 +225,46 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deny-SqlMi-minTLS' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json') } + { + name: 'Deny-Storage-ContainerDeleteRetentionPolicy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ContainerDeleteRetentionPolicy.json') + } + { + name: 'Deny-Storage-CopyScope' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CopyScope.json') + } + { + name: 'Deny-Storage-CorsRules' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CorsRules.json') + } + { + name: 'Deny-Storage-LocalUser' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-LocalUser.json') + } { name: 'Deny-Storage-minTLS' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json') } + { + name: 'Deny-Storage-NetworkAclsBypass' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsBypass.json') + } + { + name: 'Deny-Storage-NetworkAclsVirtualNetworkRules' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsVirtualNetworkRules.json') + } + { + name: 'Deny-Storage-ResourceAccessRulesResourceId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesResourceId.json') + } + { + name: 'Deny-Storage-ResourceAccessRulesTenantId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesTenantId.json') + } + { + name: 'Deny-Storage-ServicesEncryption' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ServicesEncryption.json') + } { name: 'Deny-Storage-SFTP' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json') @@ -221,6 +305,10 @@ var varCustomPolicyDefinitionsArray = [ name: 'DenyAction-ActivityLogs' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json') } + { + name: 'DenyAction-DeleteResources' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DeleteResources.json') + } { name: 'DenyAction-DiagnosticLogs' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json') @@ -457,6 +545,10 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deploy-FirewallPolicy' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json') } + { + name: 'Deploy-LogicApp-TLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-LogicApp-TLS.json') + } { name: 'Deploy-MDFC-Arc-SQL-DCR-Association' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-SQL-DCR-Association.json') @@ -493,6 +585,10 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deploy-PostgreSQL-sslEnforcement' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json') } + { + name: 'Deploy-Private-DNS-Generic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json') + } { name: 'Deploy-Sql-AuditingSettings' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json') @@ -541,1508 +637,3601 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deploy-Windows-DomainJoin' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json') } -] - -// This variable contains a number of objects that load in the custom Azure Policy Set/Initiative Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_set_definitions\_policySetDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. -var varCustomPolicySetDefinitionsArray = [ { - name: 'Audit-UnusedResourcesCostOptimization' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'AuditAzureHybridBenefitUnusedResourcesCostOptimization' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit' - definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditAzureHybridBenefitUnusedResourcesCostOptimization.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AuditDisksUnusedResourcesCostOptimization' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization' - definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditDisksUnusedResourcesCostOptimization.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AuditPublicIpAddressesUnusedResourcesCostOptimization' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization' - definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditPublicIpAddressesUnusedResourcesCostOptimization.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AuditServerFarmsUnusedResourcesCostOptimization' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization' - definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditServerFarmsUnusedResourcesCostOptimization.parameters - definitionGroups: [] - } - ] - } - { - name: 'Deny-PublicPaaSEndpoints' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'ACRDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ACRDenyPaasPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AFSDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AFSDenyPaasPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AKSDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AKSDenyPaasPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'ApiManDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ApiManDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AppConfigDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AppConfigDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AsDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AsDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AseDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AseDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AutomationDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AutomationDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'BatchDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.BatchDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'BotServiceDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.BotServiceDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'ContainerAppsEnvironmentDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ContainerAppsEnvironmentDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'CosmosDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.CosmosDenyPaasPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'FunctionDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.FunctionDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'KeyVaultDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.KeyVaultDenyPaasPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'MariaDbDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MariaDbDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'MlDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MlDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'MySQLFlexDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MySQLFlexDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.PostgreSQLFlexDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'RedisCacheDenyPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.RedisCacheDenyPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SqlServerDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.SqlServerDenyPaasPublicIP.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StorageDenyPaasPublicIP' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693' - definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.StorageDenyPaasPublicIP.parameters - definitionGroups: [] - } - ] - } - { - name: 'DenyAction-DeleteProtection' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'DenyActionDelete-ActivityLogSettings' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs' - definitionParameters: varPolicySetDefinitionEsDenyActionDeleteProtectionParameters['DenyActionDelete-ActivityLogSettings'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DenyActionDelete-DiagnosticSettings' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs' - definitionParameters: varPolicySetDefinitionEsDenyActionDeleteProtectionParameters['DenyActionDelete-DiagnosticSettings'].parameters - definitionGroups: [] - } - ] - } - { - name: 'Deploy-AUM-CheckUpdates' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-AUM-CheckUpdates.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'azureUpdateManagerVmArcCheckUpdateLinux' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46' - definitionParameters: varPolicySetDefinitionEsDeployAUMCheckUpdatesParameters.azureUpdateManagerVmArcCheckUpdateLinux.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'azureUpdateManagerVmArcCheckUpdateWindows' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46' - definitionParameters: varPolicySetDefinitionEsDeployAUMCheckUpdatesParameters.azureUpdateManagerVmArcCheckUpdateWindows.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'azureUpdateManagerVmCheckUpdateLinux' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15' - definitionParameters: varPolicySetDefinitionEsDeployAUMCheckUpdatesParameters.azureUpdateManagerVmCheckUpdateLinux.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'azureUpdateManagerVmCheckUpdateWindows' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15' - definitionParameters: varPolicySetDefinitionEsDeployAUMCheckUpdatesParameters.azureUpdateManagerVmCheckUpdateWindows.parameters - definitionGroups: [] - } - ] + name: 'Modify-NSG' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-NSG.json') } { - name: 'Deploy-Diagnostics-LogAnalytics' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ACIDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ACRDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AKSDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AutomationDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.BastionDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.BatchDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CosmosDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventHubDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FirewallDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.IotHubDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'LogAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MySQLDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RelayDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SignalRDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLMDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VMSSDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' - definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters - definitionGroups: [] - } - ] - } - { - name: 'Deploy-MDFC-Config' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'ascExport' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.ascExport.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'azurePolicyForKubernetes' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.azurePolicyForKubernetes.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForApis' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForApis.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForAppServices' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForAppServices.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForArm' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForArm.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderforContainers' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderforContainers.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForCosmosDbs' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForCosmosDbs.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForCspm' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForCspm.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForDns' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForDns.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForKeyVaults' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForKeyVaults.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderforKubernetes' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderforKubernetes.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForOssDb' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForOssDb.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForSqlPaas' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForSqlPaas.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForSqlServerVirtualMachines' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForSqlServerVirtualMachines.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForStorageAccountsV2' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccountsV2.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForVM' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForVM.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForVMVulnerabilityAssessment' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForVMVulnerabilityAssessment.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'migrateToMdeTvm' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.migrateToMdeTvm.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'securityEmailContact' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.securityEmailContact.parameters - definitionGroups: [] - } - ] - } - { - name: 'Deploy-MDFC-DefenderSQL-AMA' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-DefenderSQL-AMA.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'defenderForSqlAma' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA' - definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlAma.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForSqlArcAma' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786' - definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlArcAma.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForSqlArcDcrAssociation' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association' - definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlArcDcrAssociation.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForSqlArcMdsql' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929' - definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlArcMdsql.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForSqlArcMdsqlDcr' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR' - definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlArcMdsqlDcr.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForSqlMdsql' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL' - definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlMdsql.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'defenderForSqlMdsqlDcr' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR' - definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlMdsqlDcr.parameters - definitionGroups: [] - } - ] - } - { - name: 'Deploy-Private-DNS-Zones' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ACR'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-App' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-App'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-AppServices'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-DSCHybrid' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Automation-DSCHybrid'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-Webhook' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Automation-Webhook'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Batch'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveSearch'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveServices'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Cassandra' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Cassandra'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Gremlin' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Gremlin'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-MongoDB' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-MongoDB'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-SQL' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-SQL'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Table' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Table'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Databricks-Browser-AuthN' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Databricks-Browser-AuthN'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Databricks-UI-Api' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Databricks-UI-Api'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DataFactory'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory-Portal' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DataFactory-Portal'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DiskAccess'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridDomains'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridTopics'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventHubNamespace'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-File-Sync'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-HDInsight' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-HDInsight'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoT'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTHubs'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-KeyVault'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Key' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Key'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Live' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Live'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Stream' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Stream'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Migrate' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Migrate'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Monitor' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Monitor'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-RedisCache'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-SignalR'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Blob'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob-Sec' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Blob-Sec'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-DFS' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-DFS'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-DFS-Sec' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-DFS-Sec'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-File' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-File'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Queue' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Queue'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Queue-Sec' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Queue-Sec'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-StaticWeb' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-StaticWeb-Sec' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb-Sec'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-Dev' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-Dev'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-SQL' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-SQL-OnDemand' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL-OnDemand'].parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DINE-Private-DNS-Azure-Web' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' - definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Web'].parameters - definitionGroups: [] - } - ] - } - { - name: 'Deploy-Sql-Security' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' - definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' - definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' - definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbTdeDeploySqlSecurity.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' - definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters - definitionGroups: [] - } - ] - } - { - name: 'Enforce-ACSB' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'GcIdentity' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e' - definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcIdentity.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'GcLinux' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da' - definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcLinux.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'GcWindows' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6' - definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcWindows.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'LinAcsb' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd' - definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.LinAcsb.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'WinAcsb' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc' - definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.WinAcsb.parameters - definitionGroups: [] - } - ] - } - { - name: 'Enforce-ALZ-Decomm' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'DecomDenyResources' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c' - definitionParameters: varPolicySetDefinitionEsEnforceALZDecommParameters.DecomDenyResources.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DecomShutdownMachines' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown' - definitionParameters: varPolicySetDefinitionEsEnforceALZDecommParameters.DecomShutdownMachines.parameters - definitionGroups: [] - } - ] - } - { - name: 'Enforce-ALZ-Sandbox' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'SandboxDenyVnetPeering' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub' - definitionParameters: varPolicySetDefinitionEsEnforceALZSandboxParameters.SandboxDenyVnetPeering.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SandboxNotAllowed' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' - definitionParameters: varPolicySetDefinitionEsEnforceALZSandboxParameters.SandboxNotAllowed.parameters - definitionGroups: [] - } - ] - } - { - name: 'Enforce-Encryption-CMK' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'ACRCmkDeny' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.ACRCmkDeny.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AksCmkDeny' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.AksCmkDeny.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AzureBatchCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.AzureBatchCMKEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'CognitiveServicesCMK' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.CognitiveServicesCMK.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'CosmosCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.CosmosCMKEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'DataBoxCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.DataBoxCMKEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'EncryptedVMDisksEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'HealthcareAPIsCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'MySQLCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'PostgreSQLCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.PostgreSQLCMKEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SqlServerTDECMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.SqlServerTDECMKEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StorageCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.StorageCMKEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StreamAnalyticsCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.StreamAnalyticsCMKEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SynapseWorkspaceCMKEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.SynapseWorkspaceCMKEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'WorkspaceCMK' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.WorkspaceCMK.parameters - definitionGroups: [] - } - ] - } - { - name: 'Enforce-EncryptTransit' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'AKSIngressHttpsOnlyEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AKSIngressHttpsOnlyEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'APIAppServiceHttpsEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.APIAppServiceHttpsEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AppServiceHttpEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AppServiceHttpEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'AppServiceminTlsVersion' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AppServiceminTlsVersion.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'ContainerAppsHttpsOnlyEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.ContainerAppsHttpsOnlyEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'FunctionLatestTlsEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.FunctionLatestTlsEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'FunctionServiceHttpsEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.FunctionServiceHttpsEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'MySQLEnableSSLDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.MySQLEnableSSLDeployEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'MySQLEnableSSLEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.MySQLEnableSSLEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.PostgreSQLEnableSSLDeployEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'PostgreSQLEnableSSLEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.PostgreSQLEnableSSLEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'RedisDenyhttps' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisDenyhttps.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'RedisdisableNonSslPort' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisdisableNonSslPort.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'RedisTLSDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisTLSDeployEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLManagedInstanceTLSDeployEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SQLManagedInstanceTLSEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLManagedInstanceTLSEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SQLServerTLSDeployEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLServerTLSDeployEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'SQLServerTLSEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLServerTLSEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StorageDeployHttpsEnabledEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.StorageDeployHttpsEnabledEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'StorageHttpsEnabledEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.StorageHttpsEnabledEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'WebAppServiceHttpsEffect' - definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.WebAppServiceHttpsEffect.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'WebAppServiceLatestTlsEffect' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' - definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.WebAppServiceLatestTlsEffect.parameters - definitionGroups: [] - } - ] - } - { - name: 'Enforce-Guardrails-KeyVault' - libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json') - libSetChildDefinitions: [ - { - definitionReferenceId: 'KvCertLifetime' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvCertLifetime.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'KvFirewallEnabled' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvFirewallEnabled.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'KvKeysExpire' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysExpire.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'KvKeysLifetime' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysLifetime.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'KvPurgeProtection' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvPurgeProtection.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'KvSecretsExpire' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsExpire.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'KvSecretsLifetime' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsLifetime.parameters - definitionGroups: [] - } - { - definitionReferenceId: 'KvSoftDelete' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d' - definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSoftDelete.parameters - definitionGroups: [] - } - ] + name: 'Modify-UDR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-UDR.json') } ] +// This variable contains a number of objects that load in the custom Azure Policy Set/Initiative Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_set_definitions\_policySetDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +var varCustomPolicySetDefinitionsArray = [ + { + name: 'Audit-TrustedLaunch' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AuditDisksOsTrustedLaunch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa' + definitionParameters: varPolicySetDefinitionEsAuditTrustedLaunchParameters.AuditDisksOsTrustedLaunch.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditTrustedLaunchEnabled' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf' + definitionParameters: varPolicySetDefinitionEsAuditTrustedLaunchParameters.AuditTrustedLaunchEnabled.parameters + definitionGroups: [] + } + ] + } + { + name: 'Audit-UnusedResourcesCostOptimization' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AuditAzureHybridBenefitUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditAzureHybridBenefitUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditDisksUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditDisksUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditPublicIpAddressesUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditPublicIpAddressesUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditServerFarmsUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditServerFarmsUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deny-PublicPaaSEndpoints' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ACRDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AFSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AKSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApiManDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ApiManDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppConfigDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AppConfigDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AsDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AsDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AseDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AseDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AsrVaultDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AsrVaultDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AutomationDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.BatchDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BotServiceDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.BotServiceDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ContainerAppsEnvironmentDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ContainerAppsEnvironmentDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.CosmosDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Adf-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Adf-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ADX-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-ADX-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppSlots-Public' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-AppSlots-Public'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Cognitive-Services-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Cognitive-Services-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-CognitiveSearch-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-CognitiveSearch-PublicEndpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerApps-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-ContainerApps-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-EH-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EventGrid-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-EventGrid-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EventGrid-Topic-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-EventGrid-Topic-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Grafana-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Grafana-PublicNetworkAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Hostpool-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Hostpool-PublicNetworkAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Hms-PublicNetwork' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-KV-Hms-PublicNetwork'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-LogicApp-Public-Network-Access' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-LogicApp-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ManagedDisk-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-ManagedDisk-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-MySql-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-MySql-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-PostgreSql-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-PostgreSql-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sb-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Sb-PublicEndpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sql-Managed-Public-Endpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Sql-Managed-Public-Endpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Public-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Storage-Public-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Synapse-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Workspace-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters['Deny-Workspace-PublicNetworkAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionAppSlotsDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.FunctionAppSlotsDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.FunctionDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.KeyVaultDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDbDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MariaDbDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MlDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MySQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.PostgreSQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.RedisCacheDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.SqlServerDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.StorageDenyPaasPublicIP.parameters + definitionGroups: [] + } + ] + } + { + name: 'DenyAction-DeleteProtection' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DenyActionDelete-ActivityLogSettings' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs' + definitionParameters: varPolicySetDefinitionEsDenyActionDeleteProtectionParameters['DenyActionDelete-ActivityLogSettings'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DenyActionDelete-DiagnosticSettings' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs' + definitionParameters: varPolicySetDefinitionEsDenyActionDeleteProtectionParameters['DenyActionDelete-DiagnosticSettings'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-AUM-CheckUpdates' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-AUM-CheckUpdates.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'azureUpdateManagerVmArcCheckUpdateLinux' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46' + definitionParameters: varPolicySetDefinitionEsDeployAUMCheckUpdatesParameters.azureUpdateManagerVmArcCheckUpdateLinux.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'azureUpdateManagerVmArcCheckUpdateWindows' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46' + definitionParameters: varPolicySetDefinitionEsDeployAUMCheckUpdatesParameters.azureUpdateManagerVmArcCheckUpdateWindows.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'azureUpdateManagerVmCheckUpdateLinux' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15' + definitionParameters: varPolicySetDefinitionEsDeployAUMCheckUpdatesParameters.azureUpdateManagerVmCheckUpdateLinux.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'azureUpdateManagerVmCheckUpdateWindows' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15' + definitionParameters: varPolicySetDefinitionEsDeployAUMCheckUpdatesParameters.azureUpdateManagerVmCheckUpdateWindows.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ACIDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ACRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AKSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AutomationDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.BastionDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.BatchDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CosmosDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FirewallDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.IotHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MySQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RelayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SignalRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLMDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VMSSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-MDFC-Config_20240319' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.ascExport.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'azurePolicyForKubernetes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.azurePolicyForKubernetes.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForAppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForAppServices.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForArm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderforContainers.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCosmosDbs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForCosmosDbs.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCspm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForCspm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForKeyVaults' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForKeyVaults.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforKubernetes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderforKubernetes.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForOssDb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForOssDb.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForSqlPaas.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlServerVirtualMachines' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForSqlServerVirtualMachines.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForStorageAccountsV2' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForStorageAccountsV2.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForVM.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVMVulnerabilityAssessment' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForVMVulnerabilityAssessment.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'migrateToMdeTvm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.migrateToMdeTvm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.securityEmailContact.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-MDFC-Config' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.ascExport.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'azurePolicyForKubernetes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.azurePolicyForKubernetes.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForApis' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForApis.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForAppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForAppServices.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForArm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderforContainers.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCosmosDbs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForCosmosDbs.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCspm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForCspm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForDns' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForDns.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForKeyVaults' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForKeyVaults.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforKubernetes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderforKubernetes.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForOssDb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForOssDb.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForSqlPaas.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlServerVirtualMachines' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForSqlServerVirtualMachines.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForStorageAccountsV2' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccountsV2.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForVM.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVMVulnerabilityAssessment' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForVMVulnerabilityAssessment.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'migrateToMdeTvm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.migrateToMdeTvm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.securityEmailContact.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-MDFC-DefenderSQL-AMA' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-DefenderSQL-AMA.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'defenderForSqlAma' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA' + definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlAma.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlArcAma' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786' + definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlArcAma.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlArcDcrAssociation' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association' + definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlArcDcrAssociation.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlArcMdsql' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929' + definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlArcMdsql.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlArcMdsqlDcr' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR' + definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlArcMdsqlDcr.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlMdsql' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL' + definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlMdsql.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlMdsqlDcr' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR' + definitionParameters: varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters.defenderForSqlMdsqlDcr.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Private-DNS-Zones' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ACR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-App'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-AppServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Arc' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Arc'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-DSCHybrid' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Automation-DSCHybrid'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-Webhook' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Automation-Webhook'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Batch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-BotService' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-BotService'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveSearch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Cassandra' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Cassandra'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Gremlin' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Gremlin'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-MongoDB' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-MongoDB'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-SQL' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-SQL'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Table' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Table'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Databricks-Browser-AuthN' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Databricks-Browser-AuthN'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Databricks-UI-Api' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Databricks-UI-Api'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DataFactory'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory-Portal' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DataFactory-Portal'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DiskAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridDomains'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridTopics'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventHubNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-File-Sync'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-HDInsight' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-HDInsight'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoT'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTCentral' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTCentral'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTDeviceupdate' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTDeviceupdate'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTHubs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-KeyVault'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ManagedGrafanaWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ManagedGrafanaWorkspace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Key' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Key'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Live' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Live'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Stream' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Stream'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Migrate' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Migrate'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Monitor' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Monitor'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-RedisCache'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-SignalR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery-Backup' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery-Backup'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Blob'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Blob-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-DFS' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-DFS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-DFS-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-DFS-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-File' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-File'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Queue' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Queue'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Queue-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Queue-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-StaticWeb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-StaticWeb-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Table' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Table'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Table-Secondary' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Table-Secondary'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-Dev' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-Dev'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-SQL' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-SQL-OnDemand' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL-OnDemand'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-VirtualDesktopHostpool' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-VirtualDesktopHostpool'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-VirtualDesktopWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-VirtualDesktopWorkspace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Web' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Web'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Sql-Security_20240529' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurity_20240529Parameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurity_20240529Parameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurity_20240529Parameters.SqlDbTdeDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurity_20240529Parameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Sql-Security' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbTdeDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-ACSB' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'GcIdentity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcIdentity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'GcLinux' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcLinux.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'GcWindows' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcWindows.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LinAcsb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.LinAcsb.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WinAcsb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.WinAcsb.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-ALZ-Decomm' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DecomDenyResources' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c' + definitionParameters: varPolicySetDefinitionEsEnforceALZDecommParameters.DecomDenyResources.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DecomShutdownMachines' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown' + definitionParameters: varPolicySetDefinitionEsEnforceALZDecommParameters.DecomShutdownMachines.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-ALZ-Sandbox' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SandboxDenyVnetPeering' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub' + definitionParameters: varPolicySetDefinitionEsEnforceALZSandboxParameters.SandboxDenyVnetPeering.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SandboxNotAllowed' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + definitionParameters: varPolicySetDefinitionEsEnforceALZSandboxParameters.SandboxNotAllowed.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Backup' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'BackupBVault-Immutability' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupBVault-Immutability'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BackupBVault-MUA' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupBVault-MUA'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BackupBVault-SoftDelete' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupBVault-SoftDelete'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BackupRVault-Immutability' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupRVault-Immutability'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BackupRVault-MUA' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupRVault-MUA'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BackupRVault-SoftDelete' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148' + definitionParameters: varPolicySetDefinitionEsEnforceBackupParameters['BackupRVault-SoftDelete'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Encryption-CMK' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.ACRCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.AksCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.AzureBatchCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.CognitiveServicesCMK.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.CosmosCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.DataBoxCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aa-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Aa-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Adf-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Adf-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ADX-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-ADX-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Backup-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Backup-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-CognitiveSearch-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-CognitiveSearch-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerInstance-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-ContainerInstance-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-EH-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-Premium-CMK' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-EH-Premium-CMK'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-OsAndDataDisk-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-OsAndDataDisk-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sb-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Sb-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sql-Managed-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Sql-Managed-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Encryption-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Storage-Encryption-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Queue-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Storage-Queue-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Table-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Storage-Table-Cmk'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.PostgreSQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.SqlServerTDECMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.StorageCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.StreamAnalyticsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.SynapseWorkspaceCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.WorkspaceCMK.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-EncryptTransit_20240509' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.AKSIngressHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.APIAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.AppServiceHttpEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.AppServiceminTlsVersion.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ContainerAppsHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.ContainerAppsHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Apps-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-AppService-Apps-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Slots-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-AppService-Slots-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-AppService-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerApps-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-ContainerApps-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-minTLS' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-EH-minTLS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FuncAppSlots-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-FuncAppSlots-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FunctionApp-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-FunctionApp-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-LogicApp-Without-Https' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-LogicApp-Without-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sql-Db-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-Sql-Db-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sql-Managed-Tls-Version' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-Sql-Managed-Tls-Version'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-Storage-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Tls-Version' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deny-Synapse-Tls-Version'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deploy-LogicApp-TLS' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Deploy-LogicApp-TLS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-AppService-Apps-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Dine-AppService-Apps-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-AppService-AppSlotTls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['DINE-AppService-AppSlotTls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Function-Apps-Slots-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Dine-Function-Apps-Slots-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-FunctionApp-Tls' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters['Dine-FunctionApp-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.FunctionLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.FunctionServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.MySQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.MySQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.PostgreSQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.PostgreSQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.RedisDenyhttps.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.RedisdisableNonSslPort.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.RedisTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.SQLManagedInstanceTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.SQLManagedInstanceTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.SQLServerTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.SQLServerTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.StorageDeployHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.WebAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters.WebAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-EncryptTransit' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AKSIngressHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.APIAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AppServiceHttpEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AppServiceminTlsVersion.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ContainerAppsHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.ContainerAppsHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.FunctionLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.FunctionServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.MySQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.MySQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.PostgreSQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.PostgreSQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisDenyhttps.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisdisableNonSslPort.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLManagedInstanceTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLManagedInstanceTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLServerTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLServerTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.StorageDeployHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.StorageHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.WebAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.WebAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-APIM' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Api-subscription-scope' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Api-subscription-scope'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Apim-Authn' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Authn'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Apim-Cert-Validation' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Cert-Validation'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Apim-Direct-Endpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Direct-Endpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Apim-Protocols' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Protocols'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Apim-Sku-Vnet' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Sku-Vnet'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-APIM-TLS' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-APIM-TLS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Apim-Version' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-Version'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Apim-without-Kv' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-without-Kv'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Apim-without-Vnet' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Deny-Apim-without-Vnet'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Apim-Public-NetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters['Dine-Apim-Public-NetworkAccess'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-AppServices' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-AppServ-FtpAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppServ-FtpAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppServ-Routing' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppServ-Routing'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppServ-SkuPl' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppServ-SkuPl'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Byoc' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppService-Byoc'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Latest-Version' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppService-Latest-Version'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Rfc' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppService-Rfc'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Slots-Remote-Debugging' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppService-Slots-Remote-Debugging'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppService-Vnet-Routing' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppService-Vnet-Routing'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppServiceApps-Rfc' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Deny-AppServiceApps-Rfc'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-AppService-Apps-Remote-Debugging' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Dine-AppService-Apps-Remote-Debugging'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-AppService-Debugging' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['DINE-AppService-Debugging'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-AppService-LocalAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['DINE-AppService-LocalAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-AppService-ScmAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['DINE-AppService-ScmAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-FuncApp-Debugging' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['DINE-FuncApp-Debugging'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-AppService-App-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Modify-AppService-App-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-AppService-Apps-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Modify-AppService-Apps-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-AppService-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Modify-AppService-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Function-Apps-Slots-Https' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Modify-Function-Apps-Slots-Https'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Function-Apps-Slots-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters['Modify-Function-Apps-Slots-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Automation' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Aa-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Deny-Aa-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aa-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Deny-Aa-Managed-Identity'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aa-Variables-Encrypt' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Deny-Aa-Variables-Encrypt'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Windows-Vm-HotPatch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Deny-Windows-Vm-HotPatch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Aa-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Modify-Aa-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Aa-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters['Modify-Aa-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-CognitiveServices' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-CognitiveSearch-SKU' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-CognitiveSearch-SKU'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-CongitiveSearch-LocalAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-CongitiveSearch-LocalAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Cognitive-Services-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-Cognitive-Services-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-CogntiveSearch-LocalAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-CogntiveSearch-LocalAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-CogntiveSearch-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-CogntiveSearch-PublicEndpoint'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Compute' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Disk-Double-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsComputeParameters['Deny-Disk-Double-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-VmAndVmss-Encryption-Host' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsComputeParameters['Deny-VmAndVmss-Encryption-Host'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-ContainerApps' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-ContainerApp-Vnet-Injection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerAppsParameters['Deny-ContainerApp-Vnet-Injection'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerApps-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerAppsParameters['Deny-ContainerApps-Managed-Identity'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-ContainerInstance' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-ContainerInstance-Vnet' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerInstanceParameters['Deny-ContainerInstance-Vnet'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-ContainerRegistry' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-ContainerRegistry-Anonymous-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Anonymous-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Arm-Audience' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Arm-Audience'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Exports' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Exports'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Repo-Token' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Repo-Token'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Sku-PrivateLink' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Sku-PrivateLink'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ContainerRegistry-Unrestricted-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Deny-ContainerRegistry-Unrestricted-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ContainerRegistry-Anonymous-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Modify-ContainerRegistry-Anonymous-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ContainerRegistry-Arm-Audience' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Modify-ContainerRegistry-Arm-Audience'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ContainerRegistry-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Modify-ContainerRegistry-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ContainerRegistry-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Modify-ContainerRegistry-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ContainerRegistry-Repo-Token' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters['Modify-ContainerRegistry-Repo-Token'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-CosmosDb' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Append-CosmosDb-Metadata' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Append-CosmosDb-Metadata'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-CosmosDb-Fw-Rules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Deny-CosmosDb-Fw-Rules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-CosmosDb-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Deny-CosmosDb-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-CosmosDb-Atp' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Dine-CosmosDb-Atp'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-CosmosDb-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Modify-CosmosDb-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-CosmosDb-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters['Modify-CosmosDb-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-DataExplorer' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-ADX-Double-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataExplorerParameters['Deny-ADX-Double-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ADX-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataExplorerParameters['Deny-ADX-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ADX-Sku-without-PL-Support' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataExplorerParameters['Deny-ADX-Sku-without-PL-Support'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ADX-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataExplorerParameters['Modify-ADX-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-DataFactory' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Adf-Git' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters['Deny-Adf-Git'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Adf-Linked-Service-Key-Vault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters['Deny-Adf-Linked-Service-Key-Vault'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Adf-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters['Deny-Adf-Managed-Identity'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Adf-Sql-Integration' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters['Deny-Adf-Sql-Integration'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Adf-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters['Modify-Adf-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-EventGrid' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-EventGrid-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Deny-EventGrid-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EventGrid-Partner-Namespace-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Deny-EventGrid-Partner-Namespace-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EventGrid-Topic-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Deny-EventGrid-Topic-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EventGrid-Domain-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Modify-EventGrid-Domain-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EventGrid-Domain-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Modify-EventGrid-Domain-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EventGrid-Partner-Namespace-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Modify-EventGrid-Partner-Namespace-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EventGrid-Topic-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Modify-EventGrid-Topic-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EventGrid-Topic-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters['Modify-EventGrid-Topic-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-EventHub' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-EH-Auth-Rules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventHubParameters['Deny-EH-Auth-Rules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-Double-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventHubParameters['Deny-EH-Double-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-EH-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventHubParameters['Deny-EH-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-EH-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsEventHubParameters['Modify-EH-Local-Auth'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-KeyVault-Sup' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Modify-KV-Fw' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultSupParameters['Modify-KV-Fw'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-KV-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultSupParameters['Modify-KV-PublicNetworkAccess'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-KeyVault' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Cert-Expiration-Within-Specific-Number-Days' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Cert-Expiration-Within-Specific-Number-Days'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Cert-Period' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Cert-Period'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Cryptographic-Type' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Cryptographic-Type'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Curve-Names' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Curve-Names'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Elliptic-Curve' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Elliptic-Curve'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Hms-Key-Expire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Hms-Key-Expire'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Hms-PurgeProtection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Hms-PurgeProtection'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Hsm-Curve-Names' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Hsm-Curve-Names'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Hsm-MinimumDays-Before-Expiration' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Hsm-MinimumDays-Before-Expiration'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Integrated-Ca' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Integrated-Ca'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Key-Active' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Key-Active'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Key-Types' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Key-Types'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Keys-Expire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Keys-Expire'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Non-Integrated-Ca' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Non-Integrated-Ca'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-RSA-Keys-without-MinCertSize' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-RSA-Keys-without-MinCertSize'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-RSA-Keys-without-MinKeySize' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-RSA-Keys-without-MinKeySize'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Secret-ActiveDays' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Secret-ActiveDays'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Kv-Secret-Content-Type' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-Kv-Secret-Content-Type'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-Secrets-ValidityDays' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-Secrets-ValidityDays'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-KV-without-ArmRbac' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters['Deny-KV-without-ArmRbac'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvCertLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvCertLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvFirewallEnabled' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvFirewallEnabled.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvKeysExpire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysExpire.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvKeysLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvPurgeProtection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvPurgeProtection.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSecretsExpire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsExpire.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSecretsLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSoftDelete' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSoftDelete.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Kubernetes' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Aks-Allowed-Capabilities' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Allowed-Capabilities'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Cni' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Cni'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Default-Namespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Default-Namespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Internal-Lb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Internal-Lb'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Kms' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Kms'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Naked-Pods' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Naked-Pods'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Priv-Containers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Priv-Containers'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Priv-Escalation' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Priv-Escalation'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Private-Cluster' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Private-Cluster'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-ReadinessOrLiveness-Probes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-ReadinessOrLiveness-Probes'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Shared-Host-Process-Namespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Shared-Host-Process-Namespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Temp-Disk-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Temp-Disk-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Aks-Windows-Container-Administrator' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Deny-Aks-Windows-Container-Administrator'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Aks-Command-Invoke' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Dine-Aks-Command-Invoke'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Aks-Policy' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters['Dine-Aks-Policy'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-MachineLearning' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-ML-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Outdated-Os' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Outdated-Os'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-User-Assigned-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-User-Assigned-Identity'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ML-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Modify-ML-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-ML-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Modify-ML-Public-Network-Access'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-MySQL' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-MySql-Infra-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMySQLParameters['Deny-MySql-Infra-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-MySql-Adv-Threat-Protection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMySQLParameters['Dine-MySql-Adv-Threat-Protection'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Network' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-AppGw-Without-Tls' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-AppGw-Without-Tls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AppGw-Without-Waf' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-AppGw-Without-Waf'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FW-AllIDPSS' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-FW-AllIDPSS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FW-EmpIDPSBypass' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-FW-EmpIDPSBypass'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FW-TLS-AllApp' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-FW-TLS-AllApp'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-FW-TLS-Inspection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-FW-TLS-Inspection'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Ip-Forwarding' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Ip-Forwarding'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Mgmt-From-Internet' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Mgmt-From-Internet'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Nsg-GW-subnet' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Nsg-GW-subnet'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Subnet-with-Service-Endpoints' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Subnet-with-Service-Endpoints'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Subnet-Without-NSG' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Subnet-Without-NSG'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Subnet-Without-Udr' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Subnet-Without-Udr'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-vNic-Pip' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-vNic-Pip'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-VPN-AzureAD' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-VPN-AzureAD'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Waf-Afd-Enabled' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Waf-Afd-Enabled'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Waf-AppGw-mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Waf-AppGw-mode'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Waf-Fw-rules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Waf-Fw-rules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Waf-IDPS' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Waf-IDPS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Waf-mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Deny-Waf-mode'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Nsg' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Modify-Nsg'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Udr' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Modify-Udr'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-vNet-DDoS' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters['Modify-vNet-DDoS'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-OpenAI' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Cognitive-Services-Cust-Storage' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-Cognitive-Services-Cust-Storage'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-Cognitive-Services-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-Cognitive-Services-Managed-Identity'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-OpenAi-NetworkAcls' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-OpenAi-NetworkAcls'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-OpenAi-OutboundNetworkAccess' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-OpenAi-OutboundNetworkAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Modify-Cognitive-Services-Local-Auth'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-PostgreSQL' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Dine-PostgreSql-Adv-Threat-Protection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsPostgreSQLParameters['Dine-PostgreSql-Adv-Threat-Protection'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-ServiceBus' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Sb-Authz-Rules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsServiceBusParameters['Deny-Sb-Authz-Rules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sb-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsServiceBusParameters['Deny-Sb-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sb-LocalAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsServiceBusParameters['Deny-Sb-LocalAuth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Sb-LocalAuth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsServiceBusParameters['Modify-Sb-LocalAuth'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-SQL' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Sql-Aad-Only' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSQLParameters['Deny-Sql-Aad-Only'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Sql-Managed-Aad-Only' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSQLParameters['Deny-Sql-Managed-Aad-Only'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Sql-Adv-Data' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSQLParameters['Dine-Sql-Adv-Data'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Sql-Managed-Defender' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSQLParameters['Dine-Sql-Managed-Defender'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Sql-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSQLParameters['Modify-Sql-PublicNetworkAccess'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Storage' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Storage-Account-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Account-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Account-Keys-Expire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Account-Keys-Expire'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Classic' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Classic'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-ContainerDeleteRetentionPolicy' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-ContainerDeleteRetentionPolicy'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-CopyScope' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-CopyScope'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-CorsRules' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-CorsRules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Cross-Tenant' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Cross-Tenant'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Infra-Encryption' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Infra-Encryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-LocalUser' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-LocalUser'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-NetworkAclsBypass' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-NetworkAclsBypass'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-NetworkAclsVirtualNetworkRules' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-NetworkAclsVirtualNetworkRules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-NetworkRules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-NetworkRules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-ResourceAccessRulesResourceId' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-ResourceAccessRulesResourceId'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-ResourceAccessRulesTenantId' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-ResourceAccessRulesTenantId'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Restrict-NetworkRules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Restrict-NetworkRules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-ServicesEncryption' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-ServicesEncryption'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-SFTP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-SFTP'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Storage-Shared-Key' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Deny-Storage-Shared-Key'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Storage-Threat-Protection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Dine-Storage-Threat-Protection'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Blob-Storage-Account-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Modify-Blob-Storage-Account-PublicEndpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Storage-Account-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Modify-Storage-Account-PublicEndpoint'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Storage-FileSync-PublicEndpoint' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsStorageParameters['Modify-Storage-FileSync-PublicEndpoint'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-Synapse' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Deny-Synapse-Data-Traffic' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Deny-Synapse-Data-Traffic'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Fw-Rules' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Deny-Synapse-Fw-Rules'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Deny-Synapse-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Managed-Vnet' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Deny-Synapse-Managed-Vnet'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Synapse-Tenant-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Deny-Synapse-Tenant-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-Synapse-Defender' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Dine-Synapse-Defender'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Synapse-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Modify-Synapse-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Synapse-Public-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Modify-Synapse-Public-Network-Access'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Synapse-Tls-Version' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters['Modify-Synapse-Tls-Version'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-VirtualDesktop' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Modify-Hostpool-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsVirtualDesktopParameters['Modify-Hostpool-PublicNetworkAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Modify-Workspace-PublicNetworkAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsVirtualDesktopParameters['Modify-Workspace-PublicNetworkAccess'].parameters + definitionGroups: [] + } + ] + } +] + + // Policy Set/Initiative Definition Parameter Variables +var varPolicySetDefinitionEsAuditTrustedLaunchParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.parameters.json') + var varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json') var varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json') @@ -2053,12 +4242,16 @@ var varPolicySetDefinitionEsDeployAUMCheckUpdatesParameters = loadJsonContent('l var varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json') +var varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json') + var varPolicySetDefinitionEsDeployMDFCConfigParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json') var varPolicySetDefinitionEsDeployMDFCDefenderSQLAMAParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-DefenderSQL-AMA.parameters.json') var varPolicySetDefinitionEsDeployPrivateDNSZonesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json') +var varPolicySetDefinitionEsDeploySqlSecurity_20240529Parameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security_20240529.parameters.json') + var varPolicySetDefinitionEsDeploySqlSecurityParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json') var varPolicySetDefinitionEsEnforceACSBParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json') @@ -2067,12 +4260,66 @@ var varPolicySetDefinitionEsEnforceALZDecommParameters = loadJsonContent('lib/po var varPolicySetDefinitionEsEnforceALZSandboxParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json') +var varPolicySetDefinitionEsEnforceBackupParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json') + var varPolicySetDefinitionEsEnforceEncryptionCMKParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json') +var varPolicySetDefinitionEsEnforceEncryptTransit_20240509Parameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit_20240509.parameters.json') + var varPolicySetDefinitionEsEnforceEncryptTransitParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json') +var varPolicySetDefinitionEsEnforceGuardrailsAPIMParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-APIM.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-AppServices.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsComputeParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsContainerAppsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsContainerInstanceParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsContainerRegistryParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerRegistry.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsCosmosDbParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CosmosDb.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsDataExplorerParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsDataFactoryParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsEventGridParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventGrid.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsEventHubParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsKeyVaultSupParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.parameters.json') + var varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json') +var varPolicySetDefinitionEsEnforceGuardrailsKubernetesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsMySQLParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsNetworkParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsPostgreSQLParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsServiceBusParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsSQLParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsStorageParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Storage.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsVirtualDesktopParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.parameters.json') + // Customer Usage Attribution Id var varCuaid = '2b136786-9881-412e-84ba-f4c2822e1ac9' From 255aad86cf5a617bb30a9bf26cf4e09e2e05472a Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Sat, 15 Jun 2024 18:53:27 -0500 Subject: [PATCH 13/50] Update superseded definition for mdfcconfig --- .../alzDefaults/alzDefaultPolicyAssignments.bicep | 2 +- ...icy_assignment_es_deploy_mdfc_config.tmpl.json | 15 +++------------ 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 382517bdb..39e92dc6f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -325,7 +325,7 @@ var varPolicyAssignmentDeployMDEndpoints = { } var varPolicyAssignmentDeployMDFCConfig = { - definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json') } diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json index 238f73683..de6701907 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json @@ -1,5 +1,5 @@ { - "name": "Deploy-MDFC-Config", + "name": "Deploy-MDFC-Config-H224", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "properties": { @@ -25,9 +25,6 @@ "enableAscForServersVulnerabilityAssessments": { "value": "DeployIfNotExists" }, - "vulnerabilityAssessmentProvider": { - "value": "mdeTvm" - }, "enableAscForSql": { "value": "DeployIfNotExists" }, @@ -49,23 +46,17 @@ "enableAscForArm": { "value": "DeployIfNotExists" }, - "enableAscForDns": { - "value": "DeployIfNotExists" - }, "enableAscForOssDb": { "value": "DeployIfNotExists" }, "enableAscForCosmosDbs": { "value": "DeployIfNotExists" }, - "enableAscForApis": { - "value": "DeployIfNotExists" - }, "enableAscForCspm": { "value": "DeployIfNotExists" } }, - "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319", "scope": null, "enforcementMode": "Default" }, @@ -73,4 +64,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} From 7fe4784249308537561045ea67fa51c14f5708f8 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Sat, 15 Jun 2024 20:07:14 -0500 Subject: [PATCH 14/50] Add enforce_backup assignment and deployment --- .../alzDefaultPolicyAssignments.bicep | 45 +++++++++++++++++++ .../policy_assignment_es_enforce_backup.json | 18 ++++++++ 2 files changed, 63 insertions(+) create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 39e92dc6f..5031a100a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -153,6 +153,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentIntRootDenyClassicRes: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyClassicRes-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDenyUnmanagedDisks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyUnmanagedDisks-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIdentDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIdentDenyMgmtPortsFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyMgmtFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -175,6 +176,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeploySqlThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeploySqlTde: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLTde-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsAuditAppGwWaf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditAppGwWaf-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSovereigntyConf-confidential-online-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsCorpDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -384,6 +386,11 @@ var varPolicyAssignmentEnforceACSB = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json') } +var varPolicyAssignmentEnforceAsr = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Backup' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json') +} + var varPolicyAssignmentEnforceALZDecomm = { definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json') @@ -865,6 +872,25 @@ module modPolicyAssignmentPlatformEnforceGrKeyVault '../../../policy/assignments } } +// Module - Policy Assignment - Enforce-ASR +module modPolicyAssignmentPlatformEnforceAsr '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAsr.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformEnforceAsr + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAsr.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceAsr.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAsr.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAsr.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAsr.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAsr.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceAsr.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.contributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + // Modules - Policy Assignments - Connectivity Management Group // Module - Policy Assignment - Enable-DDoS-VNET module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) { @@ -1289,6 +1315,25 @@ module modPolicyAssignmentLzsEnforceGrKeyVault '../../../policy/assignments/poli } } +// Module - Policy Assignment - Enforce-ASR +module modPolicyAssignmentLzsEnforceAsr '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAsr.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceAsr + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAsr.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceAsr.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAsr.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAsr.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAsr.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAsr.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceAsr.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.contributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Audit-AppGW-WAF module modPolicyAssignmentLzsAuditAppGwWaf '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditAppGWWAF.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json new file mode 100644 index 000000000..f44d05700 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-ASR", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This initiative assignment enables recommended ALZ guardrails for Azure Recovery Services.", + "displayName": "Enforce enhanced recovery and backup policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Backup", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} From dda1cc5c38c48c22858d085119103bf3199758fa Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Sun, 16 Jun 2024 18:09:36 -0500 Subject: [PATCH 15/50] Replace custom diag intiative with built-in --- .../alzDefaults/alzDefaultPolicyAssignments.bicep | 8 ++++---- ...policy_assignment_es_deploy_resource_diag.tmpl.json | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 5031a100a..b37e14ae2 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -140,7 +140,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentIntRootDeployMdfcConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDFCConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployAscMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResoruceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResourceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployVmMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployVmssMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployMDEnpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDEndpoints-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -347,7 +347,7 @@ var varPolicyAssignmentDeployPrivateDNSZones = { } var varPolicyAssignmentDeployResourceDiag = { - definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json') } @@ -554,7 +554,7 @@ module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assig } } -// Module - Policy Assignment - Deploy-MDFC-Config +// Module - Policy Assignment - Deploy-MDFC-Config-H224 module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCConfig.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcConfig @@ -644,7 +644,7 @@ module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignment } } -// Module - Policy Assignment - Deploy-Resource-Diag +// Module - Policy Assignment - Deploy-Diag-Logs module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployResourceDiag.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json index 5ba310082..9a75e12ff 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json @@ -1,17 +1,17 @@ { - "name": "Deploy-Resource-Diag", + "name": "Deploy-Diag-Logs", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "properties": { - "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", - "displayName": "Deploy-Resource-Diag", + "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.", + "displayName": "Enable allLogs category group resource logging for supported resources to Log Analytics", "notScopes": [], "parameters": { "logAnalytics": { "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" } }, - "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038", "scope": null, "enforcementMode": "Default" }, @@ -19,4 +19,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} From ab58efec6a6edc0cd0657703fdfb65ba31097b99 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Sun, 16 Jun 2024 18:19:46 -0500 Subject: [PATCH 16/50] Added missing endpoint for using machine learning with private dns zones --- .../alzDefaults/alzDefaultPolicyAssignments.bicep | 4 ++++ .../policy_assignment_es_deploy_private_dns_zones.tmpl.json | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index b37e14ae2..dd344650f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -508,6 +508,7 @@ var varPrivateDnsZonesFinalResourceIds = { azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' azureEventHubNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' azureMachineLearningWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.api.azureml.ms' + azureMachineLearningWorkspaceSecondPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.notebooks.azure.net' azureServiceBusNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net' } @@ -1528,6 +1529,9 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments azureMachineLearningWorkspacePrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspacePrivateDnsZoneId } + azureMachineLearningWorkspaceSecondPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspaceSecondPrivateDnsZoneId + } azureServiceBusNamespacePrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureServiceBusNamespacePrivateDnsZoneId } diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index 63a0cd415..b82a58e9d 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -163,6 +163,9 @@ "azureMachineLearningWorkspacePrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspacePrivateDnsZoneId]" }, + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspaceSecondPrivateDnsZoneId]" + }, "azureServiceBusNamespacePrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureServiceBusNamespacePrivateDnsZoneId]" }, @@ -178,4 +181,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} From 8b20af341c7f364ec974d855b4b1ae75d5f28be5 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Sun, 16 Jun 2024 18:27:04 -0500 Subject: [PATCH 17/50] Update policy assignments api version to 2024-04-01 --- .../policy/assignments/policyAssignmentManagementGroup.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep index b9ac25532..99a1a91f7 100644 --- a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep @@ -81,7 +81,7 @@ var varPolicyAssignmentIdentityRoleAssignmentsMgsConverged = parPolicyAssignment // Customer Usage Attribution Id var varCuaid = '78001e36-9738-429c-a343-45cc84e8a527' -resource resPolicyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = { +resource resPolicyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: parPolicyAssignmentName properties: { displayName: parPolicyAssignmentDisplayName From eb205211eeeafb00059cc70bc3109673a9ca137e Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Sun, 16 Jun 2024 19:01:05 -0500 Subject: [PATCH 18/50] Add policy assignment for trusted launch initiative --- .../alzDefaultPolicyAssignments.bicep | 22 +++++++++++++++++++ ...ssignment_es_audit_trustedlaunch.tmpl.json | 18 +++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index dd344650f..32ed9b01b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -150,6 +150,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentIntRootAuditLocationMatch: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditLocationMatch-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootAuditZoneResiliency: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditZoneResiliency-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootAuditUnusedRes: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditUnusedRes-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootAuditTrustedLaunch: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditTrustedLaunch-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDenyClassicRes: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyClassicRes-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDenyUnmanagedDisks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyUnmanagedDisks-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -216,6 +217,11 @@ var varPolicyAssignmentAuditUnusedResources = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json') } +var varPolicyAssignmentAuditTrustedLaunch = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json') +} + var varPolicyAssignmentAuditZoneResiliency = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json') @@ -823,6 +829,22 @@ module modPolicyAssignmentIntRootAuditUnusedRes '../../../policy/assignments/pol } } +// Module - Policy Assignment - Audit Trusted Launch +module modPolicyAssignmentIntRootAuditTrustedLaunch '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditTrustedLaunch.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootAuditTrustedLaunch + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentAuditTrustedLaunch.definitionId + parPolicyAssignmentName: varPolicyAssignmentAuditTrustedLaunch.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentAuditTrustedLaunch.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentAuditTrustedLaunch.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentAuditTrustedLaunch.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentAuditTrustedLaunch.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentAuditTrustedLaunch.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Deny-UnmanagedDisk module modPolicyAssignmentIntRootDenyUnmanagedDisks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyUnmanagedDisk.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json new file mode 100644 index 000000000..33ba0f2d6 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Audit-TrustedLaunch", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", + "displayName": "Audit virtual machines for Trusted Launch support", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} From e9daeacb25e026c0ff9dea821f0d2b7c43c222c8 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Sun, 16 Jun 2024 22:35:19 -0500 Subject: [PATCH 19/50] Supersede Deploy-EncryptTransit with Deploy-EncryptTransit_20240509 --- .../alzDefaults/alzDefaultPolicyAssignments.bicep | 2 +- .../policy_assignment_es_enforce_tls_ssl.tmpl.json | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 32ed9b01b..05a8e6751 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -413,7 +413,7 @@ var varPolicyAssignmentEnforceGRKeyVault = { } var varPolicyAssignmentEnforceTLSSSL = { - definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json') } diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json index 96ff96fba..351a3e5cb 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json @@ -1,5 +1,5 @@ { - "name": "Enforce-TLS-SSL", + "name": "Enforce-TLS-SSL-H224", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "properties": { @@ -7,7 +7,7 @@ "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", "notScopes": [], "parameters": {}, - "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509", "scope": null, "enforcementMode": "Default" }, @@ -15,4 +15,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} From 595c2a49e12c4f1e5e0720c9c10b818380b85469 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Sun, 16 Jun 2024 23:35:17 -0500 Subject: [PATCH 20/50] Added MD Endpoints AMA initiative and assignment --- .../alzDefaultPolicyAssignments.bicep | 28 ++++++++++++++++++- ...nment_es_deploy_md_endpoints_ama.tmpl.json | 18 ++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_md_endpoints_ama.tmpl.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 05a8e6751..f636dcf90 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -144,6 +144,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentIntRootDeployVmMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployVmssMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployMDEnpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDEndpoints-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployMDEnpointsAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDEndpointsAma-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootEnforceAcsb: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAcsb-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployMdfcOssDb: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcOssDb-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployMdfcSqlAtp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcSqlAtp-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -332,6 +333,11 @@ var varPolicyAssignmentDeployMDEndpoints = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json') } +var varPolicyAssignmentDeployMDEndpointsAma = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_md_endpoints_ama.tmpl.json') +} + var varPolicyAssignmentDeployMDFCConfig = { definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json') @@ -430,6 +436,7 @@ var varRbacRoleDefinitionIds = { aksPolicyAddon: '18ed5180-3e48-46fd-8541-4ea054d57064' sqlDbContributor: '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' backupContributor: '5e467623-bb1f-42f4-a55d-6e525e11384b' + rbacSecurityAdmin: 'fb1c8493-542b-48eb-b624-b4c8fea62acd' } // Management Groups Variables - Used For Policy Assignments @@ -592,7 +599,7 @@ module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/p } // Module - Policy Assignment - Deploy-MDEndpoints -module modPolicyAssignmentIntRootDeployMDEnpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDEndpoints.libDefinition.name)) { +module modPolicyAssignmentIntRootDeployMDEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDEndpoints.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMDEnpoints params: { @@ -610,6 +617,25 @@ module modPolicyAssignmentIntRootDeployMDEnpoints '../../../policy/assignments/p } } +// Module - Policy Assignment - Deploy-MDEndpointsAMA +module modPolicyAssignmentIntRootDeployMDEndpointsAMA '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDEndpointsAma.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMDEnpointsAma + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDEndpointsAma.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDEndpointsAma.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDEndpointsAma.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDEndpointsAma.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDEndpointsAma.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDEndpointsAma.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.rbacSecurityAdmin + ] + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDEndpointsAma.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Deploy-AzActivity-Log module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAzActivityLog.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_md_endpoints_ama.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_md_endpoints_ama.tmpl.json new file mode 100644 index 000000000..de68d6778 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_md_endpoints_ama.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-MDEndpointsAMA", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.", + "displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} From 979fb1bdbfbfac25aa91a4058dd6bf32bd02a827 Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 17 Jun 2024 08:01:56 +0000 Subject: [PATCH 21/50] Update Policy Library (automated) --- .../_policyAssignmentsBicepInput.txt | 27 ++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index c166547a6..12f8c6e8a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -13,6 +13,11 @@ var varPolicyAssignmentAuditLocationMatch = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_res_location_match_rg_location.tmpl.json') } +var varPolicyAssignmentAuditTrustedLaunch = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json') +} + var varPolicyAssignmentAuditUnusedResources = { definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json') @@ -163,13 +168,18 @@ var varPolicyAssignmentDeployLXArcMonitoring = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json') } +var varPolicyAssignmentDeployMDEndpointsAMA = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_md_endpoints_ama.tmpl.json') +} + var varPolicyAssignmentDeployMDEndpoints = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json') } -var varPolicyAssignmentDeployMDFCConfig = { - definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' +var varPolicyAssignmentDeployMDFCConfigH224 = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json') } @@ -188,8 +198,8 @@ var varPolicyAssignmentDeployPrivateDNSZones = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json') } -var varPolicyAssignmentDeployResourceDiag = { - definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' +var varPolicyAssignmentDeployDiagLogs = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json') } @@ -253,6 +263,11 @@ var varPolicyAssignmentEnforceALZSandbox = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json') } +var varPolicyAssignmentEnforceASR = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Backup' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json') +} + var varPolicyAssignmentEnforceGRKeyVault = { definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json') @@ -268,8 +283,8 @@ var varPolicyAssignmentEnforceSovereignGlobal = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json') } -var varPolicyAssignmentEnforceTLSSSL = { - definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' +var varPolicyAssignmentEnforceTLSSSLH224 = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json') } From 97ef20b002b142dee187f3fc72e09a9a3707c023 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Mon, 17 Jun 2024 22:42:15 -0500 Subject: [PATCH 22/50] Cleanup param files of old workspace solutions --- infra-as-code/bicep/modules/logging/logging.bicep | 1 + .../logging/parameters/logging.parameters.all.json | 8 +------- .../logging/parameters/logging.parameters.min.json | 8 +------- .../logging/parameters/mc-logging.parameters.all.json | 8 +------- .../logging/parameters/mc-logging.parameters.min.json | 8 +------- .../bicep/modules/logging/samples/baseline.sample.bicep | 9 ++------- 6 files changed, 7 insertions(+), 35 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 8b5930148..2ddf6d395 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -124,6 +124,7 @@ param parLogAnalyticsWorkspaceSolutions array = [ 'AntiMalware' 'Security' 'SecurityInsights' + 'ServiceMap' ] @sys.description('''Resource Lock Configuration for Log Analytics Workspace Solutions. diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json index 0c95bad53..05f452fd9 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -19,16 +19,10 @@ }, "parLogAnalyticsWorkspaceSolutions": { "value": [ - "AgentHealthAssessment", "AntiMalware", - "ChangeTracking", "Security", "SecurityInsights", - "SQLAdvancedThreatProtection", - "SQLVulnerabilityAssessment", - "SQLAssessment", - "Updates", - "VMInsights" + "ServiceMap" ] }, "parDataCollectionRuleVMInsightsName": { diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json index a962c9a3f..218d6c2d4 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json @@ -10,16 +10,10 @@ }, "parLogAnalyticsWorkspaceSolutions": { "value": [ - "AgentHealthAssessment", "AntiMalware", - "ChangeTracking", "Security", "SecurityInsights", - "SQLAdvancedThreatProtection", - "SQLVulnerabilityAssessment", - "SQLAssessment", - "Updates", - "VMInsights" + "ServiceMap" ] }, "parAutomationAccountLocation": { diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json index 78222692a..2fa845453 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -16,16 +16,10 @@ }, "parLogAnalyticsWorkspaceSolutions": { "value": [ - "AgentHealthAssessment", "AntiMalware", - "ChangeTracking", "Security", "SecurityInsights", - "SQLAdvancedThreatProtection", - "SQLVulnerabilityAssessment", - "SQLAssessment", - "Updates", - "VMInsights" + "ServiceMap" ] }, "parDataCollectionRuleVMInsightsName": { diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json index 04d9b40d4..de51b6a25 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json @@ -10,16 +10,10 @@ }, "parLogAnalyticsWorkspaceSolutions": { "value": [ - "AgentHealthAssessment", "AntiMalware", - "ChangeTracking", "Security", "SecurityInsights", - "SQLAdvancedThreatProtection", - "SQLVulnerabilityAssessment", - "SQLAssessment", - "Updates", - "VMInsights" + "ServiceMap" ] }, "parAutomationAccountLocation": { diff --git a/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep index 11612fdc2..aa84cfd16 100644 --- a/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep +++ b/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep @@ -26,17 +26,12 @@ module baseline_logging '../logging.bicep' = { parLogAnalyticsWorkspaceName: 'alz-log-analytics' parLogAnalyticsWorkspaceSkuName: 'PerGB2018' parLogAnalyticsWorkspaceSolutions: [ - 'AgentHealthAssessment' 'AntiMalware' - 'ChangeTracking' 'Security' 'SecurityInsights' - 'SQLAdvancedThreatProtection' - 'SQLVulnerabilityAssessment' - 'SQLAssessment' - 'Updates' - 'VMInsights' + 'ServiceMap' ] + parUserAssignedManagedIdentityName: 'alz-umi-identity' parAutomationAccountName: 'alz-automation-account' parAutomationAccountUseManagedIdentity: true parTelemetryOptOut: false From d0ddbea601d9fba1175c7d4a9f3c88bc49738115 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 03:47:29 +0000 Subject: [PATCH 23/50] Generate Parameter Markdowns [oZakari/56e2292c] --- .../logging/generateddocs/logging.bicep.md | 161 +++++++++++++++--- 1 file changed, 141 insertions(+), 20 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 74337d28d..b67f91d0c 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -6,29 +6,30 @@ ALZ Bicep Module used to set up Logging Parameter name | Required | Description -------------- | -------- | ----------- -parGlobalResourceLock | No | Global Resource Lock Configuration used for all resources deployed in this module. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parGlobalResourceLock | No | Global Resource Lock Configuration used for all resources deployed in this module. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceName | No | Log Analytics Workspace name. parLogAnalyticsWorkspaceLocation | No | Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. +parDataCollectionRuleVMInsightsName | No | VM Insights Data Collection Rule name for AMA integration. +parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleChangeTrackingName | No | Change Tracking Data Collection Rule name for AMA integration. +parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration for Change Tracking Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleMDFCSQLName | No | MDFC for SQL Data Collection Rule name for AMA integration. +parDataCollectionRuleMDFCSQLLock | No | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSkuName | No | Log Analytics Workspace sku name. parLogAnalyticsWorkspaceCapacityReservationLevel | No | Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation. parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. -parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. -parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. -parDataCollectionRuleVMInsightsName | No | VM Insights Data Collection Rule name for AMA integration. -parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. -parDataCollectionRuleChangeTrackingName | No | Change Tracking Data Collection Rule name for AMA integration. -parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration for Change Tracking Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. -parDataCollectionRuleMDFCSQLName | No | MDFC for SQL Data Collection Rule name for AMA integration. -parDataCollectionRuleMDFCSQLLock | No | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parUserAssignedManagedIdentityName | No | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. -parUserAssignedManagedIdentityLock | No | Resource Lock Configuration for User Assigned Managed Identity. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parUserAssignedManagedIdentityLocation | No | User Assigned Managed Identity location. +parUserAssignedManagedIdentityLock | No | parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. parAutomationAccountName | No | Automation account name. parAutomationAccountLocation | No | Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. parAutomationAccountUseManagedIdentity | No | Automation Account - use managed identity. parAutomationAccountPublicNetworkAccess | No | Automation Account - Public network access. -parAutomationAccountLock | No | Resource Lock Configuration for Automation Account. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parAutomationAccountLock | No | Resource Lock Configuration for Automation Account. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parTags | No | Tags you would like to be applied to all resources in this module. parAutomationAccountTags | No | Tags you would like to be applied to Automation Account. parLogAnalyticsWorkspaceTags | No | Tags you would like to be applied to Log Analytics Workspace. @@ -65,6 +66,69 @@ Log Analytics region name - Ensure the regions selected is a supported mapping a - Default value: `[resourceGroup().location]` +### parDataCollectionRuleVMInsightsName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +VM Insights Data Collection Rule name for AMA integration. + +- Default value: `alz-ama-vmi-dcr` + +### parDataCollectionRuleVMInsightsLock + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource Lock Configuration for VM Insights Data Collection Rule. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + + + +- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}` + +### parDataCollectionRuleChangeTrackingName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Change Tracking Data Collection Rule name for AMA integration. + +- Default value: `alz-ama-ct-dcr` + +### parDataCollectionRuleChangeTrackingLock + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource Lock Configuration for Change Tracking Data Collection Rule. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + + + +- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}` + +### parDataCollectionRuleMDFCSQLName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +MDFC for SQL Data Collection Rule name for AMA integration. + +- Default value: `alz-ama-mdfcsql-dcr` + +### parDataCollectionRuleMDFCSQLLock + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + + + +- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}` + ### parLogAnalyticsWorkspaceSkuName ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -112,9 +176,9 @@ Resource Lock Configuration for Log Analytics Workspace. Solutions that will be added to the Log Analytics Workspace. -- Default value: `AgentHealthAssessment AntiMalware ChangeTracking Security SecurityInsights SQLAdvancedThreatProtection SQLVulnerabilityAssessment SQLAssessment Updates VMInsights` +- Default value: `AntiMalware Security SecurityInsights ServiceMap` -- Allowed values: `AgentHealthAssessment`, `AntiMalware`, `ChangeTracking`, `Security`, `SecurityInsights`, `ServiceMap`, `SQLAdvancedThreatProtection`, `SQLVulnerabilityAssessment`, `SQLAssessment`, `Updates`, `VMInsights` +- Allowed values: `AntiMalware`, `Security`, `SecurityInsights`, `ServiceMap` ### parLogAnalyticsWorkspaceSolutionsLock @@ -127,6 +191,30 @@ Resource Lock Configuration for Log Analytics Workspace Solutions. +- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}` + +### parUserAssignedManagedIdentityName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. + +- Default value: `alz-logging-mi` + +### parUserAssignedManagedIdentityLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +User Assigned Managed Identity location. + +- Default value: `[resourceGroup().location]` + +### parUserAssignedManagedIdentityLock + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + + + - Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}` ### parLogAnalyticsWorkspaceLinkAutomationAccount @@ -263,6 +351,33 @@ outAutomationAccountId | string | "parLogAnalyticsWorkspaceLocation": { "value": "[resourceGroup().location]" }, + "parDataCollectionRuleVMInsightsName": { + "value": "alz-ama-vmi-dcr" + }, + "parDataCollectionRuleVMInsightsLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } + }, + "parDataCollectionRuleChangeTrackingName": { + "value": "alz-ama-ct-dcr" + }, + "parDataCollectionRuleChangeTrackingLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } + }, + "parDataCollectionRuleMDFCSQLName": { + "value": "alz-ama-mdfcsql-dcr" + }, + "parDataCollectionRuleMDFCSQLLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } + }, "parLogAnalyticsWorkspaceSkuName": { "value": "PerGB2018" }, @@ -280,16 +395,10 @@ outAutomationAccountId | string | }, "parLogAnalyticsWorkspaceSolutions": { "value": [ - "AgentHealthAssessment", "AntiMalware", - "ChangeTracking", "Security", "SecurityInsights", - "SQLAdvancedThreatProtection", - "SQLVulnerabilityAssessment", - "SQLAssessment", - "Updates", - "VMInsights" + "ServiceMap" ] }, "parLogAnalyticsWorkspaceSolutionsLock": { @@ -298,6 +407,18 @@ outAutomationAccountId | string | "notes": "This lock was created by the ALZ Bicep Logging Module." } }, + "parUserAssignedManagedIdentityName": { + "value": "alz-logging-mi" + }, + "parUserAssignedManagedIdentityLocation": { + "value": "[resourceGroup().location]" + }, + "parUserAssignedManagedIdentityLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Logging Module." + } + }, "parLogAnalyticsWorkspaceLinkAutomationAccount": { "value": true }, From f814dd87f663006835bd920117b595f917bc09ba Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Mon, 17 Jun 2024 22:52:40 -0500 Subject: [PATCH 24/50] Remove resource lock for umi --- .../logging/generateddocs/logging.bicep.md | 1 - infra-as-code/bicep/modules/logging/logging.bicep | 15 --------------- .../parameters/logging.parameters.all.json | 6 ------ .../parameters/mc-logging.parameters.all.json | 6 ------ 4 files changed, 28 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 74337d28d..0c7383825 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -22,7 +22,6 @@ parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration parDataCollectionRuleMDFCSQLName | No | MDFC for SQL Data Collection Rule name for AMA integration. parDataCollectionRuleMDFCSQLLock | No | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parUserAssignedManagedIdentityName | No | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. -parUserAssignedManagedIdentityLock | No | Resource Lock Configuration for User Assigned Managed Identity. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. parAutomationAccountName | No | Automation account name. parAutomationAccountLocation | No | Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 2ddf6d395..d2161808c 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -144,11 +144,6 @@ param parUserAssignedManagedIdentityName string = 'alz-logging-mi' @sys.description('User Assigned Managed Identity location.') param parUserAssignedManagedIdentityLocation string = resourceGroup().location -param parUserAssignedManagedIdentityLock lockType = { - kind: 'None' - notes: 'This lock was created by the ALZ Bicep Logging Module.' -} - @sys.description('Log Analytics Workspace should be linked with the automation account.') param parLogAnalyticsWorkspaceLinkAutomationAccount bool = true @@ -200,16 +195,6 @@ resource resUserAssignedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedI location: parUserAssignedManagedIdentityLocation } -// Create a resource lock for the user assigned managed identity if parGlobalResourceLock.kind != 'None' or if parUserAssignedManagedIdentityLock.kind != 'None' -resource resUserAssignedIdentityLock 'Microsoft.Authorization/locks@2020-05-01' = if (parUserAssignedManagedIdentityLock.kind != 'None' || parGlobalResourceLock.kind != 'None') { - scope: resUserAssignedManagedIdentity - name: parUserAssignedManagedIdentityLock.?name ?? '${resUserAssignedManagedIdentity.name}-lock' - properties: { - level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parUserAssignedManagedIdentityLock.kind - notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parUserAssignedManagedIdentityLock.?notes - } -} - resource resAutomationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { name: parAutomationAccountName location: parAutomationAccountLocation diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json index 05f452fd9..8f812fce1 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -72,12 +72,6 @@ "notes": "This lock was created by the ALZ Bicep Logging Module." } }, - "parUserAssignedManagedIdentityLock":{ - "value": { - "kind": "None", - "notes": "This lock was created by the ALZ Bicep Logging Module." - } - }, "parAutomationAccountLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json index 2fa845453..8b6d9856d 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -66,12 +66,6 @@ "notes": "This lock was created by the ALZ Bicep Logging Module." } }, - "parUserAssignedManagedIdentityLock":{ - "value": { - "kind": "None", - "notes": "This lock was created by the ALZ Bicep Logging Module." - } - }, "parAutomationAccountLock": { "value": { "kind": "None", From b61c969cec54662ae0b5d6bb93fc2d801dfafcd8 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 03:58:52 +0000 Subject: [PATCH 25/50] Generate Parameter Markdowns [oZakari/56e2292c] --- .../logging/generateddocs/logging.bicep.md | 29 +++++-------------- 1 file changed, 8 insertions(+), 21 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index ec5639ec7..78a758078 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -6,28 +6,29 @@ ALZ Bicep Module used to set up Logging Parameter name | Required | Description -------------- | -------- | ----------- -parGlobalResourceLock | No | Global Resource Lock Configuration used for all resources deployed in this module. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parGlobalResourceLock | No | Global Resource Lock Configuration used for all resources deployed in this module. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceName | No | Log Analytics Workspace name. parLogAnalyticsWorkspaceLocation | No | Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. parDataCollectionRuleVMInsightsName | No | VM Insights Data Collection Rule name for AMA integration. -parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parDataCollectionRuleChangeTrackingName | No | Change Tracking Data Collection Rule name for AMA integration. -parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration for Change Tracking Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration for Change Tracking Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parDataCollectionRuleMDFCSQLName | No | MDFC for SQL Data Collection Rule name for AMA integration. -parDataCollectionRuleMDFCSQLLock | No | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleMDFCSQLLock | No | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSkuName | No | Log Analytics Workspace sku name. parLogAnalyticsWorkspaceCapacityReservationLevel | No | Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation. parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. -parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. -parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parUserAssignedManagedIdentityName | No | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. +parUserAssignedManagedIdentityLocation | No | User Assigned Managed Identity location. parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. parAutomationAccountName | No | Automation account name. parAutomationAccountLocation | No | Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. parAutomationAccountUseManagedIdentity | No | Automation Account - use managed identity. parAutomationAccountPublicNetworkAccess | No | Automation Account - Public network access. -parAutomationAccountLock | No | Resource Lock Configuration for Automation Account. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parAutomationAccountLock | No | Resource Lock Configuration for Automation Account. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parTags | No | Tags you would like to be applied to all resources in this module. parAutomationAccountTags | No | Tags you would like to be applied to Automation Account. parLogAnalyticsWorkspaceTags | No | Tags you would like to be applied to Log Analytics Workspace. @@ -207,14 +208,6 @@ User Assigned Managed Identity location. - Default value: `[resourceGroup().location]` -### parUserAssignedManagedIdentityLock - -![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) - - - -- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}` - ### parLogAnalyticsWorkspaceLinkAutomationAccount ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -411,12 +404,6 @@ outAutomationAccountId | string | "parUserAssignedManagedIdentityLocation": { "value": "[resourceGroup().location]" }, - "parUserAssignedManagedIdentityLock": { - "value": { - "kind": "None", - "notes": "This lock was created by the ALZ Bicep Logging Module." - } - }, "parLogAnalyticsWorkspaceLinkAutomationAccount": { "value": true }, From e82e997360de04445d87533f2fef29da9c4cf1f4 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 18 Jun 2024 22:50:49 -0500 Subject: [PATCH 26/50] Configure change tracking assignments --- .../alzDefaultPolicyAssignments.bicep | 211 ++++++++++++++++++ .../alzDefaultPolicyAssignments.bicep.md | 10 +- ...faultPolicyAssignments.parameters.all.json | 12 + ...faultPolicyAssignments.parameters.min.json | 12 + ...ent_es_deploy_vm_arc_changetrack.tmpl.json | 25 +++ ...ignment_es_deploy_vm_changetrack.tmpl.json | 34 +++ ...nment_es_deploy_vmss_changetrack.tmpl.json | 34 +++ 7 files changed, 335 insertions(+), 3 deletions(-) create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index f636dcf90..d8162b4e9 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -78,6 +78,18 @@ param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus' @sys.description('Log Analytics Workspace Resource ID.') param parLogAnalyticsWorkspaceResourceId string = '' +@sys.description('Data Collection Rule VM Insights Resource ID.') +param parDataCollectionRuleVMInsightsResourceId string = '' + +@sys.description('Data Collection Rule Change Tracking Resource ID.') +param parDataCollectionRuleChangeTrackingResourceId string = '' + +@sys.description('Data Collection Rule MDFC SQL Resource ID.') +param parDataCollectionRuleMDFCSQLResourceId string = '' + +@sys.description('User Assigned Managed Identity Resource ID.') +param parUserAssignedManagedIdentityResourceId string = '' + @sys.description('Number of days of log retention for Log Analytics Workspace.') param parLogAnalyticsWorkspaceLogRetentionInDays string = '365' @@ -154,6 +166,9 @@ var varModuleDeploymentNames = { modPolicyAssignmentIntRootAuditTrustedLaunch: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditTrustedLaunch-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDenyClassicRes: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyClassicRes-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDenyUnmanagedDisks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyUnmanagedDisks-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformDeployVmArcTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcChangeTrack-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformDeployVmChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmChangeTrack-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformDeployVmssChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssChangeTrack-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -177,6 +192,9 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeployAzSqlDbAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzSQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeploySqlThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeploySqlTde: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLTde-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmArcTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcChangeTrack-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmChangeTrack-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmssChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssChangeTrack-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsAuditAppGwWaf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditAppGwWaf-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -378,6 +396,21 @@ var varPolicyAssignmentDeployVMBackup = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json') } +var varPolicyAssignmentDeployVmArcChangeTrack = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json') +} + +var varPolicyAssignmentDeployVmChangeTrack = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json') +} + +var varPolicyAssignmentDeployVmssChangeTrack = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json') +} + var varPolicyAssignmentDeployVMMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json') @@ -437,6 +470,8 @@ var varRbacRoleDefinitionIds = { sqlDbContributor: '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' backupContributor: '5e467623-bb1f-42f4-a55d-6e525e11384b' rbacSecurityAdmin: 'fb1c8493-542b-48eb-b624-b4c8fea62acd' + reader: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + managedIdentityReader: 'f1a07417-d97a-45cb-824c-7a746778383' } // Management Groups Variables - Used For Policy Assignments @@ -905,6 +940,94 @@ module modPolicyAssignmentIntRootDenyClassicRes '../../../policy/assignments/pol } // Modules - Policy Assignments - Platform Management Group +// Module - Policy Assignment - Deploy-vmArc-ChangeTrack +module modPolicyAssignmentPlatformDeployVmArcChangeTrack '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmArcTrack + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmArcChangeTrack.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleChangeTrackingResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-ChangeTrack +module modPolicyAssignmentPlatformDeployVmChangeTrack '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmChangeTrack.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmChangeTrack + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmChangeTrack.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmChangeTrack.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmChangeTrack.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmChangeTrack.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmChangeTrack.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmChangeTrack.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmChangeTrack.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleChangeTrackingResourceId + } + userAssignedIdentityResourceId: { + value: parUserAssignedManagedIdentityResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.managedIdentityReader + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VMSS-ChangeTrack +module modPolicyAssignmentPlatformDeployVmssChangeTrack '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmssChangeTrack.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmssChangeTrack + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmssChangeTrack.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmssChangeTrack.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmssChangeTrack.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmssChangeTrack.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmssChangeTrack.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmssChangeTrack.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmssChangeTrack.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleChangeTrackingResourceId + } + userAssignedIdentityResourceId: { + value: parUserAssignedManagedIdentityResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.managedIdentityReader + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Enforce-GR-KeyVault module modPolicyAssignmentPlatformEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) @@ -1348,6 +1471,94 @@ module modPolicyAssignmentLzsDeploySqlTde '../../../policy/assignments/policyAss } } +// Module - Policy Assignment - Deploy-vmArc-ChangeTrack +module modPolicyAssignmentLzsDeployVmArcTrack '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmArcTrack + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmArcChangeTrack.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmArcChangeTrack.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleChangeTrackingResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-ChangeTrack +module modPolicyAssignmentLzsDeployVmChangeTrack '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmChangeTrack.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmChangeTrack + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmChangeTrack.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmChangeTrack.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmChangeTrack.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmChangeTrack.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmChangeTrack.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmChangeTrack.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmChangeTrack.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleChangeTrackingResourceId + } + userAssignedIdentityResourceId: { + value: parUserAssignedManagedIdentityResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.managedIdentityReader + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VMSS-ChangeTrack +module modPolicyAssignmentLzsDeployVmssChangeTrack '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmssChangeTrack.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmssChangeTrack + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmssChangeTrack.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmssChangeTrack.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmssChangeTrack.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmssChangeTrack.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmssChangeTrack.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmssChangeTrack.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmssChangeTrack.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleChangeTrackingResourceId + } + userAssignedIdentityResourceId: { + value: parUserAssignedManagedIdentityResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.managedIdentityReader + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Enforce-GR-KeyVault module modPolicyAssignmentLzsEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index b0981255b..dbce3cd26 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -8,13 +8,17 @@ Parameter name | Required | Description -------------- | -------- | ----------- parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix -parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | The region where the Log Analytics Workspace & Automation Account are deployed. -parLogAnalyticsWorkspaceResourceId | No | Log Analytics Workspace Resource ID. +parLogAnalyticsWorkspaceResourceId | Yes | Log Analytics Workspace Resource ID. +parDataCollectionRuleVMInsightsResourceId | Yes | Data Collection Rule VM Insights Resource ID. +parDataCollectionRuleChangeTrackingResourceId | Yes | Data Collection Rule Change Tracking Resource ID. +parDataCollectionRuleMDFCSQLResourceId | Yes | Data Collection Rule MDFC SQL Resource ID. +parUserAssignedManagedIdentityResourceId | Yes | User Assigned Managed Identity Resource ID. parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. parAutomationAccountName | No | Automation account name. parMsDefenderForCloudEmailSecurityContact | No | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index 6f500b846..880a4b147 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -41,6 +41,18 @@ "parLogAnalyticsWorkspaceLogRetentionInDays": { "value": "365" }, + "parDataCollectionRuleVMInsightsResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr" + }, + "parDataCollectionRuleChangeTrackingResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr" + }, + "parDataCollectionRuleMDFCSQLResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr" + }, + "parUserAssignedManagedIdentityResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity" + }, "parAutomationAccountName": { "value": "alz-automation-account" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json index 515ac1130..0bdbd8bce 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json @@ -11,6 +11,18 @@ "parLogAnalyticsWorkspaceResourceId": { "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" }, + "parDataCollectionRuleVMInsightsResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr" + }, + "parDataCollectionRuleChangeTrackingResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr" + }, + "parDataCollectionRuleMDFCSQLResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr" + }, + "parUserAssignedManagedIdentityResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity" + }, "parLogAnalyticsWorkspaceLogRetentionInDays": { "value": "365" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json new file mode 100644 index 000000000..50e513126 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-vmArc-ChangeTrack", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations.", + "displayName": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines", + "notScopes": [], + "parameters": { + "dcrResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleChangeTrackingName}" + }, + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json new file mode 100644 index 000000000..8f3240107 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json @@ -0,0 +1,34 @@ +{ + "name": "Deploy-VM-ChangeTrack", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", + "displayName": "Enable ChangeTracking and Inventory for virtual machines", + "notScopes": [], + "parameters": { + "dcrResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleChangeTrackingName}" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": true + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": false + }, + "userAssignedIdentityResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${parUserAssignedManagedIdentityName}" + }, + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json new file mode 100644 index 000000000..6ced5fd69 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json @@ -0,0 +1,34 @@ +{ + "name": "Deploy-VMSS-ChangeTrack", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", + "displayName": "Enable ChangeTracking and Inventory for virtual machine scale sets", + "notScopes": [], + "parameters": { + "dcrResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleChangeTrackingName}" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": true + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": false + }, + "userAssignedIdentityResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${parUserAssignedManagedIdentityName}" + }, + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} From 79945e0df83ec167d88be53e6f66f9759c604f0d Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 19 Jun 2024 00:21:40 -0500 Subject: [PATCH 27/50] Add VM insights policy assignments --- .../alzDefaultPolicyAssignments.bicep | 263 +++++++++++++----- ...ignment_es_deploy_vm_arc_monitor.tmpl.json | 28 ++ ..._assignment_es_deploy_vm_monitor.tmpl.json | 40 +++ ...signment_es_deploy_vm_monitoring.tmpl.json | 22 -- ...ssignment_es_deploy_vmss_monitor.tmpl.json | 40 +++ ...gnment_es_deploy_vmss_monitoring.tmpl.json | 22 -- 6 files changed, 308 insertions(+), 107 deletions(-) create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json delete mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json delete mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index d8162b4e9..f34b4eeea 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -84,8 +84,8 @@ param parDataCollectionRuleVMInsightsResourceId string = '' @sys.description('Data Collection Rule Change Tracking Resource ID.') param parDataCollectionRuleChangeTrackingResourceId string = '' -@sys.description('Data Collection Rule MDFC SQL Resource ID.') -param parDataCollectionRuleMDFCSQLResourceId string = '' +// @sys.description('Data Collection Rule MDFC SQL Resource ID.') +// param parDataCollectionRuleMDFCSQLResourceId string = '' @sys.description('User Assigned Managed Identity Resource ID.') param parUserAssignedManagedIdentityResourceId string = '' @@ -153,8 +153,6 @@ var varModuleDeploymentNames = { modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployAscMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResourceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployVmMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployVmssMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployMDEnpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDEndpoints-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployMDEnpointsAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDEndpointsAma-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootEnforceAcsb: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAcsb-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -169,6 +167,9 @@ var varModuleDeploymentNames = { modPolicyAssignmentPlatformDeployVmArcTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcChangeTrack-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDeployVmChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmChangeTrack-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDeployVmssChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssChangeTrack-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformDeployVmArcMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -195,6 +196,9 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeployVmArcTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcChangeTrack-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeployVmChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmChangeTrack-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeployVmssChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssChangeTrack-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmArcMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcMonitor-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsAuditAppGwWaf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditAppGwWaf-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -411,14 +415,19 @@ var varPolicyAssignmentDeployVmssChangeTrack = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json') } -var varPolicyAssignmentDeployVMMonitoring = { - definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' - libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json') +var varPolicyAssignmentDeployVmArcMonitor= { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json') } -var varPolicyAssignmentDeployVMSSMonitoring = { - definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' - libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json') +var varPolicyAssignmentDeployVmMonitor = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json') +} + +var varPolicyAssignmentDeployVmssMonitor = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json') } var varPolicyAssignmentEnableDDoSVNET = { @@ -471,7 +480,7 @@ var varRbacRoleDefinitionIds = { backupContributor: '5e467623-bb1f-42f4-a55d-6e525e11384b' rbacSecurityAdmin: 'fb1c8493-542b-48eb-b624-b4c8fea62acd' reader: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - managedIdentityReader: 'f1a07417-d97a-45cb-824c-7a746778383' + managedIdentityOperator: 'f1a07417-d97a-45cb-824c-7a7467783830' } // Management Groups Variables - Used For Policy Assignments @@ -737,54 +746,6 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments } } -// Module - Policy Assignment - Deploy-VM-Monitoring -module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) { - scope: managementGroup(varManagementGroupIds.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmMonitoring - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - logAnalytics_1: { - value: parLogAnalyticsWorkspaceResourceId - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.logAnalyticsContributor - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deploy-VMSS-Monitoring -module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) { - scope: managementGroup(varManagementGroupIds.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmssMonitoring - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - logAnalytics_1: { - value: parLogAnalyticsWorkspaceResourceId - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.logAnalyticsContributor - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - // Module - Policy Assignment - Enforce-ACSB module modPolicyAssignmentIntRootEnforceAcsb '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceACSB.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) @@ -990,7 +951,7 @@ module modPolicyAssignmentPlatformDeployVmChangeTrack '../../../policy/assignmen varRbacRoleDefinitionIds.vmContributor varRbacRoleDefinitionIds.logAnalyticsContributor varRbacRoleDefinitionIds.monitoringContributor - varRbacRoleDefinitionIds.managedIdentityReader + varRbacRoleDefinitionIds.managedIdentityOperator varRbacRoleDefinitionIds.reader ] parTelemetryOptOut: parTelemetryOptOut @@ -1021,7 +982,95 @@ module modPolicyAssignmentPlatformDeployVmssChangeTrack '../../../policy/assignm varRbacRoleDefinitionIds.vmContributor varRbacRoleDefinitionIds.logAnalyticsContributor varRbacRoleDefinitionIds.monitoringContributor - varRbacRoleDefinitionIds.managedIdentityReader + varRbacRoleDefinitionIds.managedIdentityOperator + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-vmHybr-Monitor-24 +module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmArcMonitor.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmArcMonitor + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmArcMonitor.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmArcMonitor.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmArcMonitor.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleVMInsightsResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Monitor-24 +module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmMonitor.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmMonitor + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmMonitor.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmMonitor.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmMonitor.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleVMInsightsResourceId + } + userAssignedIdentityResourceId: { + value: parUserAssignedManagedIdentityResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.managedIdentityOperator + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VMSS-Monitor-24 +module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmssMonitor.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmssMonitor + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmssMonitor.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmssMonitor.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmssMonitor.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleChangeTrackingResourceId + } + userAssignedIdentityResourceId: { + value: parUserAssignedManagedIdentityResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.managedIdentityOperator varRbacRoleDefinitionIds.reader ] parTelemetryOptOut: parTelemetryOptOut @@ -1521,7 +1570,7 @@ module modPolicyAssignmentLzsDeployVmChangeTrack '../../../policy/assignments/po varRbacRoleDefinitionIds.vmContributor varRbacRoleDefinitionIds.logAnalyticsContributor varRbacRoleDefinitionIds.monitoringContributor - varRbacRoleDefinitionIds.managedIdentityReader + varRbacRoleDefinitionIds.managedIdentityOperator varRbacRoleDefinitionIds.reader ] parTelemetryOptOut: parTelemetryOptOut @@ -1552,7 +1601,95 @@ module modPolicyAssignmentLzsDeployVmssChangeTrack '../../../policy/assignments/ varRbacRoleDefinitionIds.vmContributor varRbacRoleDefinitionIds.logAnalyticsContributor varRbacRoleDefinitionIds.monitoringContributor - varRbacRoleDefinitionIds.managedIdentityReader + varRbacRoleDefinitionIds.managedIdentityOperator + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-vmHybr-Monitor-24 +module modPolicyAssignmentLzsDeployVmArcMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmArcMonitor.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmArcMonitor + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmArcMonitor.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmArcMonitor.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmArcMonitor.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleVMInsightsResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Monitor-24 +module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmMonitor.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmMonitor + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmMonitor.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmMonitor.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmMonitor.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleVMInsightsResourceId + } + userAssignedIdentityResourceId: { + value: parUserAssignedManagedIdentityResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.managedIdentityOperator + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VMSS-ChangeTrack +module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmssMonitor.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmssMonitor + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmssMonitor.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmssMonitor.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmssMonitor.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleChangeTrackingResourceId + } + userAssignedIdentityResourceId: { + value: parUserAssignedManagedIdentityResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.managedIdentityOperator varRbacRoleDefinitionIds.reader ] parTelemetryOptOut: parTelemetryOptOut diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json new file mode 100644 index 000000000..904653811 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json @@ -0,0 +1,28 @@ +{ + "name": "Deploy-vmHybr-Monitor-24", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for Hybrid Virtual Machines in the specified scope (Management group, Subscription or resource group).", + "displayName": "Enable Azure Monitor for Hybrid Virtual Machines", + "notScopes": [], + "parameters": { + "dcrResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleVMInsightsResourceId}" + }, + "enableProcessesAndDependencies": { + "value": true + }, + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json new file mode 100644 index 000000000..06d8792f8 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json @@ -0,0 +1,40 @@ +{ + "name": "Deploy-VM-Monitor-24", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", + "displayName": "Enable Azure Monitor for VMs", + "notScopes": [], + "parameters": { + "dcrResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleVMInsightsResourceId}" + }, + "enableProcessesAndDependencies": { + "value": true + }, + "scopeToSupportedImages": { + "value": false + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": true + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": false + }, + "userAssignedIdentityResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${parUserAssignedManagedIdentityName}" + }, + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json deleted file mode 100644 index 738007b0b..000000000 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "name": "Deploy-VM-Monitoring", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", - "displayName": "Enable Azure Monitor for VMs", - "notScopes": [], - "parameters": { - "logAnalytics_1": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", - "scope": null, - "enforcementMode": "Default" - }, - "location": null, - "identity": { - "type": "SystemAssigned" - } -} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json new file mode 100644 index 000000000..81f125f3b --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json @@ -0,0 +1,40 @@ +{ + "name": "Deploy-VMSS-Monitor-24", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", + "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", + "notScopes": [], + "parameters": { + "dcrResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleVMInsightsResourceId}" + }, + "enableProcessesAndDependencies": { + "value": true + }, + "scopeToSupportedImages": { + "value": false + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": true + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": false + }, + "userAssignedIdentityResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${parUserAssignedManagedIdentityName}" + }, + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json deleted file mode 100644 index a6e144263..000000000 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "name": "Deploy-VMSS-Monitoring", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", - "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", - "notScopes": [], - "parameters": { - "logAnalytics_1": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", - "scope": null, - "enforcementMode": "Default" - }, - "location": null, - "identity": { - "type": "SystemAssigned" - } -} \ No newline at end of file From f45cd361e17fbbe99a0b93c595b6a27c0c51a22f Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 19 Jun 2024 00:53:05 -0500 Subject: [PATCH 28/50] Add AUM-CheckUpdates enforce policy assignment --- .../alzDefaultPolicyAssignments.bicep | 62 +++++++++++++++++-- ...ment_es_enforce_aum_checkupdates.tmpl.json | 22 +++++++ 2 files changed, 78 insertions(+), 6 deletions(-) create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_aum_checkupdates.tmpl.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index f34b4eeea..eb04ba7c3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -172,6 +172,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentPlatformDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIdentDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIdentDenyMgmtPortsFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyMgmtFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -193,14 +194,15 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeployAzSqlDbAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzSQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeploySqlThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeploySqlTde: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLTde-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployVmArcTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcChangeTrack-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployVmChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmChangeTrack-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployVmssChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssChangeTrack-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployVmArcMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcMonitor-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-Lzs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmArcTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcChangeTrack-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmChangeTrack-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmssChangeTrack: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssChangeTrack-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmArcMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsAuditAppGwWaf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditAppGwWaf-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSovereigntyConf-confidential-online-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsCorpDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -310,6 +312,11 @@ var varPolicyAssignmentEnforceSovereignGlobal = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json') } +var varPolicyAssignmentEnforceAumCheckUpdates= { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_aum_checkupdates.tmpl.json') +} + var varPolicyAssignmentDenyStoragehttp = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json') @@ -481,6 +488,7 @@ var varRbacRoleDefinitionIds = { rbacSecurityAdmin: 'fb1c8493-542b-48eb-b624-b4c8fea62acd' reader: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' managedIdentityOperator: 'f1a07417-d97a-45cb-824c-7a7467783830' + connectedMachineResourceAdministrator: 'cd570a14-e51a-42ad-bac8-bafd67325302' } // Management Groups Variables - Used For Policy Assignments @@ -1112,6 +1120,27 @@ module modPolicyAssignmentPlatformEnforceAsr '../../../policy/assignments/policy } } +// Module - Policy Assignment - Enable-AUM-CheckUpdates +module modPolicyAssignmentPlatformAumCheckUpdates '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformAumCheckUpdates + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAumCheckUpdates.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.connectedMachineResourceAdministrator + varRbacRoleDefinitionIds.managedIdentityOperator + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + // Modules - Policy Assignments - Connectivity Management Group // Module - Policy Assignment - Enable-DDoS-VNET module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) { @@ -1731,6 +1760,27 @@ module modPolicyAssignmentLzsEnforceAsr '../../../policy/assignments/policyAssig } } +// Module - Policy Assignment - Enable-AUM-CheckUpdates +module modPolicyAssignmentLzsAumCheckUpdates '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsAumCheckUpdates + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAumCheckUpdates.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.connectedMachineResourceAdministrator + varRbacRoleDefinitionIds.managedIdentityOperator + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Audit-AppGW-WAF module modPolicyAssignmentLzsAuditAppGwWaf '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditAppGWWAF.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_aum_checkupdates.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_aum_checkupdates.tmpl.json new file mode 100644 index 000000000..5f925b340 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_aum_checkupdates.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Enable-AUM-CheckUpdates", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", + "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.", + "notScopes": [], + "parameters": { + "assessmentMode": { + "value": "AutomaticByPlatform" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} From 58e1b0f802e41055545e85ebbb3708c7521d1aaf Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 19 Jun 2024 01:53:25 -0500 Subject: [PATCH 29/50] Add assignment for mdfc-sql-ama --- .../alzDefaultPolicyAssignments.bicep | 84 +++++++++++++++++-- ...ssignment_es_deploy_mdfc_sql-ama.tmpl.json | 34 ++++++++ ...ent_es_deploy_vm_arc_changetrack.tmpl.json | 2 +- ...ignment_es_deploy_vm_arc_monitor.tmpl.json | 2 +- ...ignment_es_deploy_vm_changetrack.tmpl.json | 4 +- ..._assignment_es_deploy_vm_monitor.tmpl.json | 4 +- ...nment_es_deploy_vmss_changetrack.tmpl.json | 4 +- ...ssignment_es_deploy_vmss_monitor.tmpl.json | 4 +- 8 files changed, 122 insertions(+), 16 deletions(-) create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index eb04ba7c3..906f62ba4 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -84,8 +84,8 @@ param parDataCollectionRuleVMInsightsResourceId string = '' @sys.description('Data Collection Rule Change Tracking Resource ID.') param parDataCollectionRuleChangeTrackingResourceId string = '' -// @sys.description('Data Collection Rule MDFC SQL Resource ID.') -// param parDataCollectionRuleMDFCSQLResourceId string = '' +@sys.description('Data Collection Rule MDFC SQL Resource ID.') +param parDataCollectionRuleMDFCSQLResourceId string = '' @sys.description('User Assigned Managed Identity Resource ID.') param parUserAssignedManagedIdentityResourceId string = '' @@ -170,9 +170,10 @@ var varModuleDeploymentNames = { modPolicyAssignmentPlatformDeployVmArcMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcDefSqlAma-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentPlatformAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformEnforceAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIdentDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIdentDenyMgmtPortsFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyMgmtFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -200,6 +201,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeployVmArcMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcDefSqlAma-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -437,6 +439,11 @@ var varPolicyAssignmentDeployVmssMonitor = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json') } +var varPolicyAssignmentDeployMdfcDefSqlAma = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json') +} + var varPolicyAssignmentEnableDDoSVNET = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json') @@ -1054,6 +1061,40 @@ module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/p } } +// Module - Policy Assignment - Deploy-MDFC-DefSQL-AMA +module modPolicyAssignmentPlatformDeployMdfcDefSqlAma '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployMdfcDefSqlAma + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMdfcDefSqlAma.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + userWorkspaceResourceId: { + value: parLogAnalyticsWorkspaceResourceId + } + dcrResourceId: { + value: parDataCollectionRuleMDFCSQLResourceId + } + userAssignedIdentityResourceId: { + value: parUserAssignedManagedIdentityResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.managedIdentityOperator + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Deploy-VMSS-Monitor-24 module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmssMonitor.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) @@ -1121,9 +1162,9 @@ module modPolicyAssignmentPlatformEnforceAsr '../../../policy/assignments/policy } // Module - Policy Assignment - Enable-AUM-CheckUpdates -module modPolicyAssignmentPlatformAumCheckUpdates '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.name)) { +module modPolicyAssignmentPlatformEnforceAumCheckUpdates '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) - name: varModuleDeploymentNames.modPolicyAssignmentPlatformAumCheckUpdates + name: varModuleDeploymentNames.modPolicyAssignmentPlatformEnforceAumCheckUpdates params: { parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAumCheckUpdates.definitionId parPolicyAssignmentName: varPolicyAssignmentEnforceAumCheckUpdates.libDefinition.name @@ -1694,7 +1735,7 @@ module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policy } } -// Module - Policy Assignment - Deploy-VMSS-ChangeTrack +// Module - Policy Assignment - Deploy-VMSS-Monitor-24 module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmssMonitor.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmssMonitor @@ -1725,6 +1766,37 @@ module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/poli } } +// Module - Policy Assignment - Deploy-MDFC-DefSQL-AMA +module modPolicyAssignmentLzsmDeployMdfcDefSqlAma '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployMdfcDefSqlAma + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMdfcDefSqlAma.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + dcrResourceId: { + value: parDataCollectionRuleMDFCSQLResourceId + } + userAssignedIdentityResourceId: { + value: parUserAssignedManagedIdentityResourceId + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor + varRbacRoleDefinitionIds.managedIdentityOperator + varRbacRoleDefinitionIds.reader + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Enforce-GR-KeyVault module modPolicyAssignmentLzsEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json new file mode 100644 index 000000000..9fbbcc048 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json @@ -0,0 +1,34 @@ +{ + "name": "Deploy-MDFC-DefSQL-AMA", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations).", + "displayName": "Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers", + "notScopes": [], + "parameters": { + "userWorkspaceResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + }, + "dcrResourceId": { + "value": "${parDataCollectionRuleMDFCSQLResourceId}" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": true + }, + "bringYourOwnDcr": { + "value": true + }, + "userAssignedIdentityResourceId": { + "value": "${parDataCollectionRuleMDFCSQLResourceId}" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json index 50e513126..3419a4d04 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json @@ -8,7 +8,7 @@ "notScopes": [], "parameters": { "dcrResourceId": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleChangeTrackingName}" + "value": "${parDataCollectionRuleChangeTrackingResourceId}" }, "effect": { "value": "DeployIfNotExists" diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json index 904653811..f2b16e7ec 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json @@ -8,7 +8,7 @@ "notScopes": [], "parameters": { "dcrResourceId": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleVMInsightsResourceId}" + "value": "${parDataCollectionRuleVMInsightsResourceId}" }, "enableProcessesAndDependencies": { "value": true diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json index 8f3240107..2a2469374 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json @@ -8,7 +8,7 @@ "notScopes": [], "parameters": { "dcrResourceId": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleChangeTrackingName}" + "value": "${parDataCollectionRuleChangeTrackingResourceId}" }, "bringYourOwnUserAssignedManagedIdentity": { "value": true @@ -17,7 +17,7 @@ "value": false }, "userAssignedIdentityResourceId": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${parUserAssignedManagedIdentityName}" + "value": "${parUserAssignedManagedIdentityResourceId}" }, "effect": { "value": "DeployIfNotExists" diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json index 06d8792f8..9ba5c518f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json @@ -8,7 +8,7 @@ "notScopes": [], "parameters": { "dcrResourceId": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleVMInsightsResourceId}" + "value": "${parDataCollectionRuleVMInsightsResourceId}" }, "enableProcessesAndDependencies": { "value": true @@ -23,7 +23,7 @@ "value": false }, "userAssignedIdentityResourceId": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${parUserAssignedManagedIdentityName}" + "value": "${parUserAssignedManagedIdentityResourceId}" }, "effect": { "value": "DeployIfNotExists" diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json index 6ced5fd69..1bbaccb8d 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json @@ -8,7 +8,7 @@ "notScopes": [], "parameters": { "dcrResourceId": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleChangeTrackingName}" + "value": "${parDataCollectionRuleChangeTrackingResourceId}" }, "bringYourOwnUserAssignedManagedIdentity": { "value": true @@ -17,7 +17,7 @@ "value": false }, "userAssignedIdentityResourceId": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${parUserAssignedManagedIdentityName}" + "value": "${parUserAssignedManagedIdentityResourceId}" }, "effect": { "value": "DeployIfNotExists" diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json index 81f125f3b..0af75fb88 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json @@ -8,7 +8,7 @@ "notScopes": [], "parameters": { "dcrResourceId": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/${parDataCollectionRuleVMInsightsResourceId}" + "value": "${parDataCollectionRuleVMInsightsResourceId}" }, "enableProcessesAndDependencies": { "value": true @@ -23,7 +23,7 @@ "value": false }, "userAssignedIdentityResourceId": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${parUserAssignedManagedIdentityName}" + "value": "${parUserAssignedManagedIdentityResourceId}" }, "effect": { "value": "DeployIfNotExists" From 903f83201ca8ae762aa5064e16d9f7b2d6f08c61 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 19 Jun 2024 07:03:24 +0000 Subject: [PATCH 30/50] Generate Parameter Markdowns [oZakari/56e2292c] --- .../alzDefaultPolicyAssignments.bicep.md | 50 ++++++++++++++++--- 1 file changed, 43 insertions(+), 7 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index dbce3cd26..ab6793c95 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -8,17 +8,17 @@ Parameter name | Required | Description -------------- | -------- | ----------- parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix -parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. +parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | The region where the Log Analytics Workspace & Automation Account are deployed. -parLogAnalyticsWorkspaceResourceId | Yes | Log Analytics Workspace Resource ID. -parDataCollectionRuleVMInsightsResourceId | Yes | Data Collection Rule VM Insights Resource ID. -parDataCollectionRuleChangeTrackingResourceId | Yes | Data Collection Rule Change Tracking Resource ID. -parDataCollectionRuleMDFCSQLResourceId | Yes | Data Collection Rule MDFC SQL Resource ID. -parUserAssignedManagedIdentityResourceId | Yes | User Assigned Managed Identity Resource ID. +parLogAnalyticsWorkspaceResourceId | No | Log Analytics Workspace Resource ID. +parDataCollectionRuleVMInsightsResourceId | No | Data Collection Rule VM Insights Resource ID. +parDataCollectionRuleChangeTrackingResourceId | No | Data Collection Rule Change Tracking Resource ID. +parDataCollectionRuleMDFCSQLResourceId | No | Data Collection Rule MDFC SQL Resource ID. +parUserAssignedManagedIdentityResourceId | No | User Assigned Managed Identity Resource ID. parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. parAutomationAccountName | No | Automation account name. parMsDefenderForCloudEmailSecurityContact | No | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. @@ -113,6 +113,30 @@ The region where the Log Analytics Workspace & Automation Account are deployed. Log Analytics Workspace Resource ID. +### parDataCollectionRuleVMInsightsResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Data Collection Rule VM Insights Resource ID. + +### parDataCollectionRuleChangeTrackingResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Data Collection Rule Change Tracking Resource ID. + +### parDataCollectionRuleMDFCSQLResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Data Collection Rule MDFC SQL Resource ID. + +### parUserAssignedManagedIdentityResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +User Assigned Managed Identity Resource ID. + ### parLogAnalyticsWorkspaceLogRetentionInDays ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -245,6 +269,18 @@ Set Parameter to true to Opt-out of deployment telemetry "parLogAnalyticsWorkspaceResourceId": { "value": "" }, + "parDataCollectionRuleVMInsightsResourceId": { + "value": "" + }, + "parDataCollectionRuleChangeTrackingResourceId": { + "value": "" + }, + "parDataCollectionRuleMDFCSQLResourceId": { + "value": "" + }, + "parUserAssignedManagedIdentityResourceId": { + "value": "" + }, "parLogAnalyticsWorkspaceLogRetentionInDays": { "value": "365" }, From 8a8e968c3fe0149d551979addb8b8b060bcd30da Mon Sep 17 00:00:00 2001 From: github-actions Date: Wed, 19 Jun 2024 08:01:25 +0000 Subject: [PATCH 31/50] Update Policy Library (automated) --- .../_policyAssignmentsBicepInput.txt | 42 ++++++++++++++++--- 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index 12f8c6e8a..8fec0f24a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -188,6 +188,11 @@ var varPolicyAssignmentDeployMDFCOssDb = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json') } +var varPolicyAssignmentDeployMDFCDefSQLAMA = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json') +} + var varPolicyAssignmentDeployMDFCSqlAtp = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json') @@ -223,19 +228,39 @@ var varPolicyAssignmentDeploySQLThreat = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json') } +var varPolicyAssignmentDeployvmArcChangeTrack = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json') +} + +var varPolicyAssignmentDeployvmHybrMonitor24 = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json') +} + var varPolicyAssignmentDeployVMBackup = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json') } -var varPolicyAssignmentDeployVMMonitoring = { - definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' - libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json') +var varPolicyAssignmentDeployVMChangeTrack = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json') } -var varPolicyAssignmentDeployVMSSMonitoring = { - definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' - libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json') +var varPolicyAssignmentDeployVMMonitor24 = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json') +} + +var varPolicyAssignmentDeployVMSSChangeTrack = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json') +} + +var varPolicyAssignmentDeployVMSSMonitor24 = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json') } var varPolicyAssignmentDeployWSArcMonitoring = { @@ -263,6 +288,11 @@ var varPolicyAssignmentEnforceALZSandbox = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json') } +var varPolicyAssignmentEnableAUMCheckUpdates = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_aum_checkupdates.tmpl.json') +} + var varPolicyAssignmentEnforceASR = { definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Backup' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json') From d5ea40ae57843dbbe90c3bb000d9b0d90d8ed591 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 19 Jun 2024 12:36:10 -0500 Subject: [PATCH 32/50] Remove additional unneeded LAW solutions --- infra-as-code/bicep/modules/logging/logging.bicep | 6 ------ .../modules/logging/parameters/logging.parameters.all.json | 5 +---- .../modules/logging/parameters/logging.parameters.min.json | 5 +---- .../logging/parameters/mc-logging.parameters.all.json | 5 +---- .../logging/parameters/mc-logging.parameters.min.json | 5 +---- .../bicep/modules/logging/samples/baseline.sample.bicep | 3 --- 6 files changed, 4 insertions(+), 25 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index d2161808c..a02696466 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -114,17 +114,11 @@ param parLogAnalyticsWorkspaceLock lockType = { } @allowed([ - 'AntiMalware' - 'Security' 'SecurityInsights' - 'ServiceMap' ]) @sys.description('Solutions that will be added to the Log Analytics Workspace.') param parLogAnalyticsWorkspaceSolutions array = [ - 'AntiMalware' - 'Security' 'SecurityInsights' - 'ServiceMap' ] @sys.description('''Resource Lock Configuration for Log Analytics Workspace Solutions. diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json index 8f812fce1..a4a4b9a3f 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -19,10 +19,7 @@ }, "parLogAnalyticsWorkspaceSolutions": { "value": [ - "AntiMalware", - "Security", - "SecurityInsights", - "ServiceMap" + "SecurityInsights" ] }, "parDataCollectionRuleVMInsightsName": { diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json index 218d6c2d4..e74df2a7e 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json @@ -10,10 +10,7 @@ }, "parLogAnalyticsWorkspaceSolutions": { "value": [ - "AntiMalware", - "Security", - "SecurityInsights", - "ServiceMap" + "SecurityInsights" ] }, "parAutomationAccountLocation": { diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json index 8b6d9856d..30868a880 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -16,10 +16,7 @@ }, "parLogAnalyticsWorkspaceSolutions": { "value": [ - "AntiMalware", - "Security", - "SecurityInsights", - "ServiceMap" + "SecurityInsights" ] }, "parDataCollectionRuleVMInsightsName": { diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json index de51b6a25..dad0948b4 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json @@ -10,10 +10,7 @@ }, "parLogAnalyticsWorkspaceSolutions": { "value": [ - "AntiMalware", - "Security", - "SecurityInsights", - "ServiceMap" + "SecurityInsights" ] }, "parAutomationAccountLocation": { diff --git a/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep index aa84cfd16..904574aae 100644 --- a/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep +++ b/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep @@ -26,10 +26,7 @@ module baseline_logging '../logging.bicep' = { parLogAnalyticsWorkspaceName: 'alz-log-analytics' parLogAnalyticsWorkspaceSkuName: 'PerGB2018' parLogAnalyticsWorkspaceSolutions: [ - 'AntiMalware' - 'Security' 'SecurityInsights' - 'ServiceMap' ] parUserAssignedManagedIdentityName: 'alz-umi-identity' parAutomationAccountName: 'alz-automation-account' From 9ea826bed485aef9e571e4ac9e7a1e5964066051 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 19 Jun 2024 12:37:58 -0500 Subject: [PATCH 33/50] Change UAMI API to GA version --- infra-as-code/bicep/modules/logging/logging.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index a02696466..34c192866 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -184,7 +184,7 @@ param parTelemetryOptOut bool = false // Customer Usage Attribution Id var varCuaid = 'f8087c67-cc41-46b2-994d-66e4b661860d' -resource resUserAssignedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { +resource resUserAssignedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { name: parUserAssignedManagedIdentityName location: parUserAssignedManagedIdentityLocation } From 960ca75c415383ebabed7195ed6ccd6c59b07050 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 19 Jun 2024 17:41:48 +0000 Subject: [PATCH 34/50] Generate Parameter Markdowns [oZakari/56e2292c] --- .../bicep/modules/logging/generateddocs/logging.bicep.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 78a758078..8bf5ad5a6 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -175,9 +175,9 @@ Resource Lock Configuration for Log Analytics Workspace. Solutions that will be added to the Log Analytics Workspace. -- Default value: `AntiMalware Security SecurityInsights ServiceMap` +- Default value: `SecurityInsights` -- Allowed values: `AntiMalware`, `Security`, `SecurityInsights`, `ServiceMap` +- Allowed values: `SecurityInsights` ### parLogAnalyticsWorkspaceSolutionsLock @@ -386,10 +386,7 @@ outAutomationAccountId | string | }, "parLogAnalyticsWorkspaceSolutions": { "value": [ - "AntiMalware", - "Security", - "SecurityInsights", - "ServiceMap" + "SecurityInsights" ] }, "parLogAnalyticsWorkspaceSolutionsLock": { From 20291d86a0cabd5cd0e867e7dcd6f56dbedc76bd Mon Sep 17 00:00:00 2001 From: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Date: Wed, 19 Jun 2024 12:45:00 -0500 Subject: [PATCH 35/50] Update infra-as-code/bicep/modules/logging/logging.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- infra-as-code/bicep/modules/logging/logging.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index a02696466..f5250101c 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -308,7 +308,7 @@ resource resDataCollectionRuleVMInsightsLock 'Microsoft.Authorization/locks@2020 } } -resource resDataCollectionRuleChangeTracking 'Microsoft.Insights/dataCollectionRules@2023-03-11' = { +resource resDataCollectionRuleChangeTracking 'Microsoft.Insights/dataCollectionRules@2021-04-01' = { name: parDataCollectionRuleChangeTrackingName location: parLogAnalyticsWorkspaceLocation properties: { From 3795283c990ffc919875e092028cf4cc867b1cf1 Mon Sep 17 00:00:00 2001 From: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Date: Wed, 19 Jun 2024 12:45:06 -0500 Subject: [PATCH 36/50] Update infra-as-code/bicep/modules/logging/logging.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- infra-as-code/bicep/modules/logging/logging.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index f5250101c..59513589c 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -579,7 +579,7 @@ resource resDataCollectionRuleChangeTrackingLock 'Microsoft.Authorization/locks@ } } -resource resDataCollectionRuleMDFCSQL'Microsoft.Insights/dataCollectionRules@2023-03-11' = { +resource resDataCollectionRuleMDFCSQL'Microsoft.Insights/dataCollectionRules@2021-04-01' = { name: parDataCollectionRuleMDFCSQLName location: parLogAnalyticsWorkspaceLocation properties: { From a0f7a9007a430a4e463abb59b5926720d28b3367 Mon Sep 17 00:00:00 2001 From: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Date: Wed, 19 Jun 2024 12:45:12 -0500 Subject: [PATCH 37/50] Update infra-as-code/bicep/modules/logging/logging.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- infra-as-code/bicep/modules/logging/logging.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 59513589c..018cc7229 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -240,7 +240,7 @@ resource resLogAnalyticsWorkspaceLock 'Microsoft.Authorization/locks@2020-05-01' } } -resource resDataCollectionRuleVMInsights 'Microsoft.Insights/dataCollectionRules@2023-03-11' = { +resource resDataCollectionRuleVMInsights 'Microsoft.Insights/dataCollectionRules@2021-04-01' = { name: parDataCollectionRuleVMInsightsName location: parLogAnalyticsWorkspaceLocation properties: { From e659e87206399471fb1b6779e14ae0f7e23165eb Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 19 Jun 2024 14:09:50 -0500 Subject: [PATCH 38/50] Update VM, VMSS, and ArcVM monitoring assignments to align to enterprise-scale --- .../policy_assignment_es_deploy_vm_arc_monitor.tmpl.json | 2 +- .../policy_assignment_es_deploy_vm_monitor.tmpl.json | 2 +- .../policy_assignment_es_deploy_vmss_monitor.tmpl.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json index f2b16e7ec..6f203b50e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json @@ -1,5 +1,5 @@ { - "name": "Deploy-vmHybr-Monitor-24", + "name": "Deploy-vmHybr-Monitoring", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "properties": { diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json index 9ba5c518f..ca2c359f2 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json @@ -1,5 +1,5 @@ { - "name": "Deploy-VM-Monitor-24", + "name": "Deploy-VM-Monitoring", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "properties": { diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json index 0af75fb88..3980c3448 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json @@ -1,5 +1,5 @@ { - "name": "Deploy-VMSS-Monitor-24", + "name": "Deploy-VMSS-Monitoring", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "properties": { From a174cfc08c44c0afad7ec6b2bed43c25cfeb8621 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 19 Jun 2024 14:10:38 -0500 Subject: [PATCH 39/50] Add new AMA related resource IDs to accelerator config --- .../.config/ALZ-Powershell.config.json | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/accelerator/.config/ALZ-Powershell.config.json b/accelerator/.config/ALZ-Powershell.config.json index 476d26b86..190d35579 100644 --- a/accelerator/.config/ALZ-Powershell.config.json +++ b/accelerator/.config/ALZ-Powershell.config.json @@ -457,6 +457,46 @@ } ] }, + "DataCollectionRuleVMInsightsResourceId": { + "Type": "Computed", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr", + "Targets": [ + { + "Name": "parDataCollectionRuleVMInsightsResourceId.value", + "Destination": "Parameters" + } + ] + }, + "DataCollectionRuleChangeTrackingResourceId": { + "Type": "Computed", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr", + "Targets": [ + { + "Name": "parDataCollectionRuleChangeTrackingResourceId.value", + "Destination": "Parameters" + } + ] + }, + "DataCollectionRuleMDFCSQLResourceId": { + "Type": "Computed", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr", + "Targets": [ + { + "Name": "parDataCollectionRuleMDFCSQLResourceId.value", + "Destination": "Parameters" + } + ] + }, + "UserAssignedManagedIdentityResourceId": { + "Type": "Computed", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity", + "Targets": [ + { + "Name": "parUserAssignedManagedIdentityResourceId.value", + "Destination": "Parameters" + } + ] + }, "DdosPretectionPlanId": { "Type": "Computed", "Value": "/subscriptions/{%ConnectivitySubscriptionId%}/resourceGroups/rg-{%Prefix%}-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan", From 7a5a435972b434e689d630d2c7f82d4e0724b5bc Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 19 Jun 2024 15:47:27 -0500 Subject: [PATCH 40/50] Add ama resource outputs and update documentation --- infra-as-code/bicep/modules/logging/README.md | 11 ++-------- .../logging/generateddocs/logging.bicep.md | 20 ++++++++++++------ .../bicep/modules/logging/logging.bicep | 9 ++++++++ .../modules/logging/media/bicepVisualizer.png | Bin 208206 -> 51821 bytes 4 files changed, 24 insertions(+), 16 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/README.md b/infra-as-code/bicep/modules/logging/README.md index da2590d19..0f4f24d11 100644 --- a/infra-as-code/bicep/modules/logging/README.md +++ b/infra-as-code/bicep/modules/logging/README.md @@ -4,18 +4,11 @@ Deploys Azure Log Analytics Workspace, Automation Account (linked together) & mu Automation Account will be linked to Log Analytics Workspace to provide integration for Update Management, Change Tracking and Inventory, and Start/Stop VMs during off-hours for your servers and virtual machines. Only one mapping can exist between Log Analytics Workspace and Automation Account. +We provision several data collection rules (VM Insights, Change Tracking, and Defender for SQL) as well as a user-assigned managed identity (UAMI). These resources are utilized in tandem with various policies as part of deploying the Azure Monitor Agent (AMA). + The module will deploy the following Log Analytics Workspace solutions by default. Solutions can be customized as required: -- AgentHealthAssessment -- AntiMalware -- ChangeTracking -- Security - SecurityInsights (Azure Sentinel) -- SQLAdvancedThreatProtection -- SQLVulnerabilityAssessment -- SQLAssessment -- Updates -- VMInsights > Only certain regions are supported to link Log Analytics Workspace & Automation Account together (linked workspaces). Reference: [Supported regions for linked Log Analytics workspace](https://learn.microsoft.com/azure/automation/how-to/region-mappings) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 8bf5ad5a6..3bdddcea4 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -6,21 +6,21 @@ ALZ Bicep Module used to set up Logging Parameter name | Required | Description -------------- | -------- | ----------- -parGlobalResourceLock | No | Global Resource Lock Configuration used for all resources deployed in this module. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parGlobalResourceLock | No | Global Resource Lock Configuration used for all resources deployed in this module. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceName | No | Log Analytics Workspace name. parLogAnalyticsWorkspaceLocation | No | Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. parDataCollectionRuleVMInsightsName | No | VM Insights Data Collection Rule name for AMA integration. -parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parDataCollectionRuleChangeTrackingName | No | Change Tracking Data Collection Rule name for AMA integration. -parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration for Change Tracking Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration for Change Tracking Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parDataCollectionRuleMDFCSQLName | No | MDFC for SQL Data Collection Rule name for AMA integration. -parDataCollectionRuleMDFCSQLLock | No | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleMDFCSQLLock | No | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSkuName | No | Log Analytics Workspace sku name. parLogAnalyticsWorkspaceCapacityReservationLevel | No | Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation. parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. -parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. -parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parUserAssignedManagedIdentityName | No | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. parUserAssignedManagedIdentityLocation | No | User Assigned Managed Identity location. parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. @@ -28,7 +28,7 @@ parAutomationAccountName | No | Automation account name. parAutomationAccountLocation | No | Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. parAutomationAccountUseManagedIdentity | No | Automation Account - use managed identity. parAutomationAccountPublicNetworkAccess | No | Automation Account - Public network access. -parAutomationAccountLock | No | Resource Lock Configuration for Automation Account. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parAutomationAccountLock | No | Resource Lock Configuration for Automation Account. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parTags | No | Tags you would like to be applied to all resources in this module. parAutomationAccountTags | No | Tags you would like to be applied to Automation Account. parLogAnalyticsWorkspaceTags | No | Tags you would like to be applied to Log Analytics Workspace. @@ -311,6 +311,12 @@ Set Parameter to true to Opt-out of deployment telemetry Name | Type | Description ---- | ---- | ----------- +outDataCollectionRuleVMInsightsName | string| +outDataCollectionRuleVMInsightsId | string | +outDataCollectionRuleChangeTrackingName | string | +outDataCollectionRuleChangeTrackingId | string | +outDataCollectionRuleMDFCSQLName | string | +outDataCollectionRuleMDFCSQLId | string | outLogAnalyticsWorkspaceName | string | outLogAnalyticsWorkspaceId | string | outLogAnalyticsCustomerId | string | diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 76883f81f..a8dbea99b 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -682,6 +682,15 @@ module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdRes params: {} } +output outDataCollectionRuleVMInsightsName string = resDataCollectionRuleVMInsights.name +output outDataCollectionRuleVMInsightsId string = resDataCollectionRuleVMInsights.id + +output outDataCollectionRuleChangeTrackingName string = resDataCollectionRuleChangeTracking.name +output outDataCollectionRuleChangeTrackingId string = resDataCollectionRuleVMInsights.id + +output outDataCollectionRuleMDFCSQLName string = resDataCollectionRuleMDFCSQL.name +output outDataCollectionRuleMDFCSQLId string = resDataCollectionRuleMDFCSQL.id + output outLogAnalyticsWorkspaceName string = resLogAnalyticsWorkspace.name output outLogAnalyticsWorkspaceId string = resLogAnalyticsWorkspace.id output outLogAnalyticsCustomerId string = resLogAnalyticsWorkspace.properties.customerId diff --git a/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png b/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png index a09b69682bd04ff010e7f7d837162e491e9e2546..b5be212322dc18b4b234beb06d5a58c5a81311cd 100644 GIT binary patch literal 51821 zcmbSz1yqz@|0fC(QWgTzAt)dz(jcwUN;7mRDFZ_fLx(hoG)N;cfRwa^bcn>z9m3Es z#K6q#!~5?4-QC}w-Lq#oKZ$G+?hlfZ0`jx_4JiJ@tcz8Fo ziEjc=B8eX40sq}_eXA^o2Op;20=^K~%BsoY;Z?W#Ed3N6~rx??#Vv zu@&&}o|~e++dF3)HxF~LHJ&oq+SQTm!GC?4$>NcL%*6lw zvjhnTQU9lnphAAF@jq?Mo(!yrTmRLMpdERqf%m`qF%z4F^+NvBCVL>R04Mz)!y;I~ z#{bil6#w5-(nNzqP`Qp#H$L=8{fY6(XE=K$u@~K-tnzZzUxqb8~ZRYwOxG^D6xsVdoB;>cbKQva_S3#_vS8a=*-= zy0XIKG~a_!M@@~KgZIgk@TjP9^e9pLNnc-|FR4JwrkQtGri)fZ zWQ6iwUJa-7%_OB0hB`V0j-L0`i^i-36_u6kF@J+p(_cJ$@#2MyOj}u*>ZR^NFe0tB zuCA`8<}-W@Ju1?U_H;HeVO&(av{(ohG0Hx?$Hb&TWM{l(|8dQVCuPCmh5cfG`b!JX zqJHKLAr+3tkB3qOPNy?xv9w|8i0!h5WUn1sZ9 zxNh1ZBqT&UQ~gpmkjM^ zPpx_>!h$|$eS3%0%)S|``0>T_=SwaBdiQnGK!3kxmtmMXKie1NSdoUZW65g1i)qUz37s(h^z>J~rr?c0R0tp{Vk!K^YSrosp?2-z1Z; z8^bq0fWh9sFP<#F-xt0v9-p~tY4|5bkA~{6xzdlxq6Gyo_Cmez+4 z-zJNs<$xa-7l9n*ONx%-ulQQh*Xtde6MgpHRGx-v`|M%41~j<1_({f>stPEPxpv$U zz)yD2Z3zVh1^#)VE&J=&^xJZB+Uxzylr4eHB}UpU%FFmPr^5aK-yTs=@ zmybG%f1=%+q&PT~kdqNsUEs{s&hG7(AzJcI3L?OeYJ*u)>BMk`0)9hnbSXfdxU@8` zLMDk5a|46a$)Z+yU<3NFojVidx~11E_w{XVH~Zb{&rjGpTO*BPc=bFUd2~E8RWgv;|C^CztQ-0=!kmOz{tR0Y+?duXyGSJOH1R}CEPd+#MiBNBC*Ve!=1p4!dzge9rK${ zpfgK;Cu{2hU>kwGD3^fcRo7(spzGiIs&aBRRCqXXkjz$7Hu^Nt2Bp z8J=7m6>~-Zj7NGA2IbkBTie@aUB!2u5rl(A21Lf)PR8Aat-**-H?x3OR8NwIc2BcH zE|kPtF7X4H5hyP&Du@~|5bdY6xjjmt6JiTxeL90KC?);0ZonzCBm-_SzewZGhFUJp zF3!0vVM6p4-p6I{dmqv@?4`7M_Q;RyN*(?h3X=v^UB=wAPpV_9Bq3-p852Ism67rr zs2Xu+!g>zv%J9`95~}PjZ>HeIBXt}zH!<54J~4jZFMB!Z_AW9Datz8SfdxGyf2Qwy zwj6s(fBAr^*baGbOy0j2C1^XJHtXko+)n8vhP?=Z`3^3$`18ScNgb|C;OQlHUlvdD z(igmAeVu19Bjdb=yoGuMfgrw;N}d_7<7j8B^L`&6pV!WMHx;rAeH#{sq(Z5s;|_=m zTXtoNj0c9PDTH}Vxn(-h0U+fp6o(_zS?zu;PIAF(p)PRcrOfg6B6uF;XbMHPh_s^o zOvm=oh;I$E6@p&~(U2rRK7-JA6i&FUVVu zH-?YvO)(wqt%YqDzm@6su*QnUdAd*i51kvFo^UxCcq}B1w2mUsJ~6)D3w$^`M+aa^ z{?=!R*VBEQr}P*36_86_YRrWTVFRx}u5G?(-8-kRdFcrG>Nio!M6CntK+NatN)mR( zXG*E@1YHW^dm;dFZn;WJj-jahVc)P;mAsu?Hh31;!=yU#%@kNu=*mjWah(ZjCmla( z&yW{)*_MXLuq0kmvBK!UEyuppZkn9d>k;YC)q*bO(it|L4y*6ivVCIl<3U7hk`GLR zt`11+TQ2AEno6xVBg1^^Ow=vDwy-cCsx)NjX)a~7c_MKbsOZ?fH)^ee8-A8Pc9N$; zcclYI9+L}a&I5<`_v2)nIS%&4q`sn<=PT~cu=08%FP}^sGLQk$?7K7R(aKzwAr8)0|LN=h16Ve_nn_oV8M0|w3M3`V z>ccwD*45V6+taZTn95lk8qAz(exy zV!a>D-i~iWuTeGvs&w5{H`K2*yWwsn*RmW+H?_03*PU!=Xvp6JE`h^&Z_hvPg>%Dy ztb8Bf9jlvPfq@yuW;X`gmOLmI!B@vO>KH5epE_I|FJ>GkuhDj+d4iI-^(;hli|a5_ zEnk?%)>K}84M|IT6k2y#oj54X*K+b_$&!X54JFe6A48TJN{C>tTBUlV>CE5M!_Vx6w<3Xd{SO}Nx zM(gpgL_89@c+)OZFLY(Z?^GxwLd~JsWwqNBv#r;nGyJ?bMp^i;SSu$2(pYjTmJY-9 z8Wioe4v;%vIb*GxZmSg-vIQ-zzC^K*=@*SK`RoWJ@i&xpa;MuVwiiy=&9}jDL6p*- zg`=`RxT`Yh+Nt2m>fy3_ODl=!+OJ0go1nbsreb+VxIlHu|=)8-TIrxbme#459`$t&Ge#y^5 z!y8TWF(6ybO7+Zzx_Ma!fO{Y72&=$nJvy;C3jV6}kTt*67MNA*SBV;3^r~Q(#ZPZb z%T;5K`GVnGuH$dF%bH#UKqOD8+s=P20=%=g=QMGI=hV1Wm~86jg+Zf&DG)whI>k!b z5r(#ay7@a(@HIp77?2HO_IrC8;FjVJLEIp^Mjtrx~kSSGZ6 zwma*Az1S4uf}P|s8T;(krs(gkBt@K~krh2s-lg^&V>1}WHS~m@sj-fZ;;ly)>wK`j zSNle|O&Oe+Ye30dJ^i?N1q^$foeB+gSS0u3K#&d<%+JE7P!);zsyj9f>*v%)dp>_A zTg((D^`t0Yq>~>Tdv6t#2tJ12E}=*-2_8=)SZdhJk`MpZ4|UPe-G`KO>lfWo24_yX zBpuJxV;$?~l`J&1wAvf(rpW=;CrzJuD1BIA9}8`DPATOe-<1f?smoO+ zoabzvV?`TQ9R6E`>G7rQFm`qktHf-hE4|-*9KLh52$ONvvfVO)qI71w*5Z}j0Sj;h zhD~fRKiivMyHg^4BSbQ*Ib$$3_V*(cO?D#kRxSBF%y*@~GkZ^J7IGi1IDOWftYN_W zLsewZRbjtrzqN-6<~#7^8O;OiVJvJgQ{v24=8_hfzg4PN;ob+aS?A35y$3}lw_SzA zyAM38zXIN3uVWPb=x<(UkKiR-t{#y_x{2!y@baGwi7ZAfV-Lb)mgshOca>x4FXs3C z!tCQ8&bjn3JP#Cf>w|3HU+=@`7cgLxk53J{o#L~<&_Yk?*I|C&RQpnXMFTu$XJ ztqP{%Z+ujuPh|O2uf1@J!F7qS#QIkB7_%_#Y6?wk2kW@igH<77{$xO$5kwC`-yGC7)y?B}=r;ZR>4wNWJCC zmoHy#jB(-9%jb<8-oAOufO$0y94aOc2q(U7Cc*)T1#v(ix+bb#5;gwL_leWXTNG4G z%p4gXpq^K+;hRP!kDMAUkpYy-c4&snMf)Gi!&lomu-@E6+Jt5<*V6M5j(HUaTTSPM z=G4Ps^h~XNY91}hsxwN~Az7|1nB0DTiG#*%}4#*qz`#CH@yjiliM}hv)8;$ z3_^~#=c!v!?OE?k7sY$~JD;hdlUpxj2U<PyI=}=NlmiV-JR^z|;=U4cit!{)5ztLvra`>2GPB+glYV zSqYJ%_|8`OiFh9+Js;f&xM%Z{o-FTLs?(1EWUqu?x@Ux`&AnEPT0Wp_fQzKs*BL_= z==OIRbG9lZ541LoVb7n}d>}`KQLqn>;b5!Tmh>p2)Jl9VN$S!wQ%4!*Wro53< zAtEMx=?4t5Byhl(3vKrkrpK})P>R1M)r>}_0rQr#?NL0+gArS^Nlp2%h73b0CZCe} zXx3boN6ugIo=~xt`&3B7&&P<;k`jH+I-y{aaRvN9A^hyMXjL=p)x|kwcOyW2A`K($ z!l%BWv{plD!f*HvA|4!#{-Ady-wU=soR63yV50DE@FxiRBF1mX!SVZM+RgfW-yeyO zczreCn-X+8e3=fS2YpI}7l6Bj&aMu3=Rif`P%*nX2r!d$T=hq_J^oGpl&1nh;#a?O z+V?e|D2v}iPFvAfnh95|nl#6Mma`wX^i_v%B1B7=yuU3k z+1f97;=Dr-r`7w-76(jl&YgLe$Bf?Gw)2y7=1#Vcd2+)m_XqgeqN<2%$)2%t1d(eP z{rH%p0=Il1D3$;Yy+imozJs!=qYZ~~zMT!jdVPORb{n|u`1dYX_{+waxoILVvb?CP z1x3a1%* z6Mo3%FYmbZa5Hbw_gJm_GWDTU(DJGVSZd_$hl{>!Itp0TPBf)EI3atfsb$$Jnh;JH>wUB*5a#gW4-+%1+ znCAoo$!v~eXY3s1knYsZ_3pH(UN-C^pW7)jWVlj=Bh?BD5IdzZ=!rlPnIBgNoLTy~ z8F?l?Z?xv2{H3e=e4>%mL36`Rw!MXxbS!65$6u?p;F~+YmU6QNfJ0y9j8apLx=R}s zZmTW+4u3h23Jl#*If~9@GuDl6`g)V1(~Q$-DakXYZQ0P5fP|6lv-mm9&%m8)ziA?b=;{!0UZpM{yB;NP!%>GuaPX{ zGj+0r6!Y=RT%|!TyH1fBjmXwPp6;uJ02&p>Dyc4qOQiXIaZc84=it!w zgzPQH%@;)a!5@d*{HZ>cNAfm?f1%ydE`)MC_=EqJ;xXbi^P&8AQ9<#!C<137SjaWP zjx-w=G9^nTqzsekgBa&jtz|p|*0kk)+{r*BbJT?vp}+JUa#bGE$0?t!k5gg}#N6n& z9_G*q33R2vsz_I3h+kqg`W3{KayX>@8>)uUD5MLC-CK248--OWGNsSdG3`G$qf1<< zec2Y&<9d4D(~6iaaC$M{yko`BYnbV#-Uk8Q8Vx908WXGI%<{CjJl(ZZ(A+h}p{Wy& z%f3mUmw+lHywVCBahFDm-mnqcQR&|`JSn)DASQS0?lT5C<7b@%kU$PXB?*?!=RmuCG%R1A^Xt zMO*GWA!&wMDfl33sY|(dVjNG}|19Qk1T8$-FmNq_&&ErT$g(V|{)pmMSBS?CS zwj8Z7z|?m-f$)M_AOD*>&JR}Z*(2bJ<>p;Xxbq%j&!~a?msvdzUb@3MIJSehdo8_L z$>K9&JAdq0WZ7h%UVwH~)aWDR%9MOPw+fP@l-MSI?^^iFn(62Zdk0CR?y5^_xR9n?d1J zT_0DP6Of*y5o`t$*^0%RuHT~g?h;h;WhuSNF?eM4Kq!5QL{+1vi~)0Shv`ZK&W#jd zz*_vmp1~P5K9h%tFyMSwRXCr;wth2!c{ad@Q!R+!nt$g*r?&pO4Oq`gDLI*y)NGme zt_V6=iYl6q-mJVBq zJxgz!fA!eq9B;B`x|h3BdUqAVPO=u4AN~fO$nuptRJ#s(DAWK~UG!WVD7ajl^;%10 zv8DsUa$VG$m}BkQffJ{7@f?~lOKH|hK`DNkDvm@!vzz^WH3HA4&i7JJ$jaAePRHh+eg^F@>7w~hz>mbbvD%DKv3Nj0XeyaqGeGqB1a#mkE zKO#{TT&((park@*1~xWmTmGvTX@XnS2@8|94nlckUmfM@EmldLwxH(wA)$W)Z;__7 zlMGBL8f25j<@ECohG|vCBp{;{RJ-YA(aP+4)1s@Nx0V1G>3*VUwM^@%{gu$h}<<3h{_9HJs(fb5qBuonSHS&T#ivWK-Yl7U@ z2wpwTh;zpxaZN|Rd!QAWd*nz{9@s`45IRVMOb9lEdf0>2(UFIPFMr`#ZLYcYJFMvw znD%@9${iXSdIHbBTH~Zi|EpT)H>M^c&^sb^25JrnPOpDQUK?u5uRwBtJcq%e5q&FG zt2|>PHfESGdTTO=zYXi6s%;~MuArMH{qIZbo3s!t;=*B5JhL{OimI9 z=8N3x!vuTxO`UuXgV&cu+@NYQ0J&CFKe;_Pwf1}bgl)F+u9Lqpka`Fr<^=s&CQ}l8 zHmKIj5o%!&%FaSZ9;>2>1AIV*^JT7-C_8qO=8&bxtj#3Nmwz{-*B0OVbsr%s+JJ|Kk4Yi5R=ht)w~ou)T+&v2B3J#=z^P8~>J5I_HWa^t#)4nggrIpxR#mGttB$-hoLuXY-r8S|VsvtVWpo%&N z4{7;eP?;h3hFls;L_NRZ(;mBgg#P`uj+iKGRvBla85yr5_L6S5umEq;YoZT# zY?tmw5R!QnX#?8T6Ju>t_I6Db7OW`-;13wL`hS-+Dwvm9}T7<0< zxx5xmG0$EVMii({r!W$ki6-Wo3)&EHSP%A#o10IR=%}8NDai@E!?*l`-s$-GgMe52 zoojbHP4!fara$QoOIkjQK%10m>c~~Pnvo~nwZuIAW7wnQHhwz9RMzrmi0d$`5b@}5MZkEy#RL*Gkxm3qeQcGPQsSikXKuqhu=lvs(nTU3z+S2dX-G}QI~LNc z&5d6|f{m;9b4I@G!uDtGn_4Wk?E4PXIQo44&=hONdv1RY zEF0jd*n`c;vo;v2itqF^&F>P4D}`Q_H@DKJ8-^w$6DdhVoaFlzcQ`J_-t^E(cf_uv z&n9se%XIsuE+<0P7?lOjwyg;Ki=cAg$g;UKL)Z4!0`EU~eq{hJUGGgkUN~P$V9P#D z!!`{pqAM|dL7`!2D+fD3!d-Iv@ggR`C#6{;(o=qa@2if0*V|(^B_YLMom=5wmeszM4qy|NiYaW$P}?b#r0m-3eO+`S13M8;mZm5-+%*fmI7smtVp z^i+^^Oc`h0m*fBkGMO17R)WCuTW)*vO=m{~e26;ba8B_2cx0Ubq0;zp_*$c(;lkDX zPVCw2s~He=JB2>SOE?Y)KQ?R?rvKh%#GZAs3q5R*X7y<>&)yc*fBXQ#$9d2$cZ>Y)oEjcfFOk8Jv}#A(ZVZmT8P7*nr^k2kG;zZOr}<^z_vs zTTpPLVY3EY<9S{jGOrq8rZhj?yXL+B$L(+R`sJe0L9AurvML`K;}A7tf=^>9!Ip?@ zQ5jq2`?3df?jz-V6IP8S=tY%Qw4$%WWDARRjfYP{>hL>tv}zg1S=6g>b#3d}e#V0Div4VQ_M|Ph@q6t;QB3U4JVuYzsY*dQ55EUE6Z?R$KI5I?ml( zn3QrC-HeyLrk}JJkUg!~uf?M4HB8;MXNQBbsbz5RJ(n`r$FC?wxX;hOJHjbi^+K!- zF}ai7dpt`ATLmx!vOYtyKouQXakCj__Fq=N|=_dc7&c8Z~WJ|W3k8e3T!|GT5 zCRHzr+fqarU>n9ZA)R> z$+!qW9n%I}Vn>n2Herg%T4U@|4oGj()NlJ_qGht}YP{Z6!!Ht5x^O;zKKLzQlDc7! z6gYMPsl@YycSRL{g)utLu%?5xdI+bwUR%NNBub>E7sAvIOj6c%FupagAl9-kQ&iz~ zIs2G%Sif!KC-pC!r|nXMVLYI93egcw{`?AGnhPY6VR-<`)=w(iYDj${_dG^kg6~UQsn2h8qOC0&;U?TP9 zWgo=ar>Dw!kPlOlo!Y~J&`ObC2p0ui;1$cO=~>r)b0_bvO{RkGGa*Zl;#Zo$^GP+v z(-PiE&?J!FDTMK|a3|^PGSi371Wq|U5v2B$!=xw+Sxn_6;`bCWQPWZ^VmW)+vXun# zNNv3`Wm=Q*+94XF?#EiLD%%50mjlb@Gf)9`nC&HPadDhY%rgI&#jLP$Tq!kkl1 z0?x)|DGKuz&OJ7Q9GW`yb@o<+!<@YbkWAE)kd=Rp6_z3Lly<;(oBZPemJ31WeT<4+ zkZ##D9zv&q_UDa!u8fdajoVq$sh5Axt_QTV?)Ee_s;01O;p=}~JlMR?!9#X-+SkLk zE?$`Jx_xrXIeP)qvLy_d_pp_w5)qkaz8m9|*M1MB?YHHAC^0Mvso!=yzU8_o4Lv@a zM63Z~y21}Bv|8(w4eIpSBFeO~fNWQl z)MowAzceE-} ze4Tv|3+xi?T?g9p*8ADk2+DqlGW3|VhtJdJYuvj5vj+H=eoQt^mSkF!8R{e0_}6=r z`2NAaZ&bOSu(!xl8@mn(8`V20s+Zc)Gp?WCs3N}yL*-AkL3Xc81xSnoR%VaK zw1bmV>p=(UM2}V&m2@DLMZY4oaTmt~kYL#w&QJ^F>Y<5`*#6btxl}*3h zSg^m6lS3A&rT4Z$5opivKn(BCrxGa{1F!8S`%pp5HTBYhOdrVLV)jaA!O!H2mXMR> z_Rh{8sf^s!!@;k_WEZTxvoHIu>n7H>jlN`Fsn4GZ{zM0@HyS#GwLWh-fMY|m*K{R- z#7DKmwBR4kB++HOW?sXZ@YI%?ni>(p_phnB-8ho?8rBkqht)aW=>)Xg7Pf!l?4rhG z7h=rImo|vEA_6wn(|%irD*46P)&hPqMhOt2is_>N>JJQc>6dQr{QJ>1rI--muP6O4 zxppikAFF%;vUT+cf7^qG07`(5hv;|>Kd#IUgnq{YTYA_tTA_lwkii(khRW?nfxZH; z-I-dNmI_p=M>wGZp0)Q&|M$)Z4A*Ibq%Reh^PM8}o-osF8AFd}oqebo`D{HID1Sv& zbc4Emv5d%qC)F*EC<0hRi>#{=wLs1SzLUoKH=2$45k4lIutk75wMXCPZ5 z;3$MAfcZql4R74$T9GhFJ|$!VYV$O}#-`eHkO?)t7H{x%IZaBIwP=Hh&zj0?BpDTz4>^!lj-1gS(`V?uAih5p1tIIYo!g>3$fHfPI6axUQ9jX zY@;{x__Dm_y>Qz?aRn;1>*IM8kHx-#l^oD zme|fyK?te`FC1pT(~)7$Vu!!*#;O64V;}2hjoXwcEIs`@C~x{i)}q_2XKqdVI`j5U z<_6Q)b>fitCvSp)Z;)Doz#JaTtfinpQIW(Kzh29gAQj)4W&iCMkq-&8Hixa*%2$dC zdGS+%Wf}0irkQEg-U^I<%Js^1WZiqWs$#bSi|`$rZ!}jQO;{3`qP^tG>=vgs@njKW z+~`hANl-I89bZ_IxUMN2sUJ3K#!QQxo#65ywf|Zsbk%dWA!vp{P_&M5#cpo&hf16`e9=app`%r@G=nZCo={-zBiY>sX+ zObY*#rn20@%;;!9YTw5Gk5!7DM!+}x?q%cV#z4y$&+sg)PxiHUbAV{8&CnxOQOgK1 z{|=y1NK#(W_Yn(&LSv~Z;zMx%^Ny~cJU10!TzAw`$o!Y&R)M0RW(KJ~4klTWM_G3H z4E@yPp*fH(JRrHnoxzPTJ^6hM#0bwPv7FX~11O=f(>AP;JCg6nq1I{7?WZrz%|x+G zb@7Mk3F6Fd*To8B1wegoKkt;>8d^ap1Ee?guv`?^%IPe5zTE18&a9y2xjsEd*lx>_ zgkSRF@3c~;Q_#~d*5~|l{89mQV|sdeM&-JMqIc(Pss+C4-vvx%fRa=?Qlukdt}jl5 zZrCD${Bqg;`Pn7a*@EqR>r6hGj`r(`kz z)NZ|w5C+nIxxMBpUzo5EmE8wXG>{)CX@Yso)8Xho!rd!DGL{$-=^89HqC>G195xaN z0y7vTLgRbm6XKV&0)yE!XZ`BzaWKM+Vg@-l6K?WwqbCXGHTmO+ zKEL%8E6a?i;wv;?Djhqtay!pT!vKX(0!+spOQahuOt1vxCszB3-1PnCQFK@Wa^GV@ZV_{SOUXxk7Bv5hx*Gb|9#hKOjRNx3oNrryj^m=_Kd zasJ21U!JUxh&fEBxbt4EUzwr%M zo5{bmy{hwo>-X;G1Kz^>9QPnf{;TF8as-l2JvV;bm4pK2!4!n=J|GI3czsTXgltXP zWS)-c!4ZPqi|4&ZNM$l(Qa4)(uXa#m3;)B1=3Re|X#!PaTn3s4rV3TI%s4 zzR=cTh@aE*-rDHq+TZ+DF408T{ZCN!>Wgepn53l^CQXf6`e0{BS=z-|3ZVhdKA-ej z8Y{UpePRg9fuHl>KU_^nzP~9Tbx0p+3C)l-e%VuYTXjs@Lp~3PMD=n%7ykm6zP@1M zS5*UO%o;jkKZ8i7)cZVX<(O|Wbx!z}l_^b{s76gu(?`5O$($^;Ie)M0-j^)t?3SV= z+^XbjmggiSQ~gQYPuVLhODqz@0}j~yHN)zwUz0Y6xW&&!^@SMdUoJ)TjI4?OCBHRs z{LmSV$rE8j_d;^(vOzM3^Qqic*`6&{v+B?-1Ku!}4?Vx9B7^BAZtAl2*eDjvDG&}S z7Z$a&dmP9#P@sK-3i5n9EB0iL*@n(0_W|<}yUb^o5WCX z;NO!Bl&pw)$BJk9g-YqUrGZb-{!%B{SZn6@_dRNy$NU*W-5#7-iQVYYp=<+Hx@D#_ znRMUn;*22v_OsdRxQ2EAr^k9@$6A>wHqR7v+#k_WG@Rizu_k^hb?^bTT0tw~G)fh{ zd7KNxf90QZ778&%g0h*1xe!#pUTm(+dzhg9XhEda6Op!pbsDAFbEeG~;Ff7)!lkoo z59@)>#9*8IKGg_Q^LiIGP%4$lfk>^R^y{uM{%)Db4wF@u+tb>yp2=V(bJ@rZG*C28>al z(uSHB1o)cdt-J^-;p60tv(2{ogGry+7}&J?U)NdEo*~4}Sn}l*rN#XKrU8heHR39| z&2Onu1lzQFo@^W@Q{UqD{iLwzs04aRlD!%T#2!Kl%I$YsU~?#RQ!?Xa?&bmYY4RfP z>{<2IOinic1I_a)klttEnzE}yz6$8>?m#TGYN?m{RBu7bbr#5GVwhj-o!5i(QW#Jw z&JDJkZR#doJIBA2+bVHL8LBhvuipZCvkX($C-PZ)`XR^zIZ;8s2)qImJh?TW$_!L6 z@ut)(T)zTLM8jPsrMKX=KA?OZTPv|N6*qw`qI)<=sVgSkiC*}zB3MS=XShy7O0#C1 zr!T9UA8i^`_)*>gqCNPvMk1!oEAhz=wh47HeGTtBE)M}Af({HUj80Ep#5wG0>}AQTXJCet3&Ng+Bo)}@#{p-iXQ0Nt zvicSRVxTr(Hapu?%40Oa6kEF*3loBi?O(T002S`C$;q~k`zBY3GVZv=YQ;^5F{;>2 zs?XBVivy6~TgUy63?I%PBE2YE^nI7tJEdMf$2(+dfd5YHznn2WQhjo*Old>$u#zhex%Mg#e5!s7+dEFrp zK#zOeX^=KC!(4-`jGzH2DJh>mRbO4EEs;obA<8HJ{p;Yl2^S(20hFBAbUsib)%s&4 z_yIuG(2x<1I#?2|14ZBE0D$FX(^Fn^v$Qj!J~hsr?*_e4DA4ZN}{~Hyx8;_f<*D7q~r|%tO4LI zD=RBCPMNQico1TuYZ)3>XSE{l3=Qp`KLY0A5EK-wbk34gv~hSqO`V7jEQ~F#*3!Gd z-6o0|0o_w22fjgrBo|-~{Jy?>R%*V!l7-3D2bRHIh|S^gmu_w~0QAQU`rUo8k%qB7 zbZgzNzv`Wy9`(bAg^<$NJC7cHLdCPpc-&DU74lP6jrunT%G=Y^)7tv6&6jGyywK0X z4litNZLiT={Gnnm68qRs8H54kj~jEpG61+?VP_9^F*Y;=5J$q^Ev@7y!Cf zwr>QMdh+DSvuEXng-WV2cKlMGlD!g7UL$pxZkVd6s{?4aqt&@$7Xug=UQSa5B671a zFrZa7_^pz|FQ=(+LN}H_nPZ~l?Jcg{d%||g@RaPfNgv_{CJ$1)58#kG;@QNyPS_Mv zO^kJxU4`md1qAMnrK@sOVP9!YDp#`j$jQssQlJ=sa{(2K(2#AbkYp_hwsbBZG?-33 z7#$rY;AL&ohvgSPPoZj>XQZY528{dF&rFZ@TZ*4Tali=oCm>$$K2!7Ini1H!=wK)pUIOHbm=rVZCAbO#RWD@T(s; z7~qZ?!V2u)nQs=x+Cgr;P5eMQX2kPwH`0qt>i0A$w_$wGb75igA+6?770pT8@!tWh zPp0tN6idv#TSHFEn@Kj%larI7p@fdJ_RIuN$9lTD&WpDKRE7EYD3SNuYxrIeTL+4{ zZt!c@=K2#MXB}STTKoE5t-Xf;Fi+~>r}<4yKBqg=t#qs*T0-`dJV$biREiz?FH7Q$ zJTDs5&E;ML@ID>Z*MI6lzFBrh(cZm#S3DD5P!N*gm#;)}`!*LZFTAAWp8f6402(E# z&5aGa*$(!=JLHsJ_r za0{ki#cR8OHzOt{HdDt;2KXPJ{WU2`NmbO;%FD_e?CrVv__8yKzL7Wqg6f>{KhQDA z4WtJIl5@yF3_8eX(1>%NTV3CcGK5pUw;d-?mx$W?{rmUl&!4}4|NiC6 zL)0B%$HfCOCtEiF`kQk%9x21T`=iHa=5E6tiQjZgFRFT_2f+M#$S>6d={~0+V}oXF zF1afy|E#Tp-RHy_Glv8KeAr|G803bk zg2eXo4DSv%K$gxsDc6)5+ZH%WSjx`0P)7IuIsnd$x|4_pEa1z`M%_v3ugmU1LP?3J z3n5W5W=c;=($Uik8&p?Qn{bc1-OX3>_4{|Qo8BntjSvu-Oir945fKsR-k*(;I%L1f3!s--o?d5c+0ZiJXJS!s1XFZ-j zcYgn#Cb{TvjCq^%kWT<~KoE~yjk&i?LPDaH7wQtaa1ub3tLDVY%)-@1S;mUKWujPl!YO(MM}{bp!EO5k1u15MN(kSy@>? z3jzF~u0H%Kd-|y=6#yn*l>d(&9&iJ^vue&rt zPoF*wCkU+^oDU2O2Ql%D=dsd40e_fXi|k|SYbfbIZqWmRfU>f(t+68e*$&aW^z<27 zStiEDL;7P|ZmXh`08F;Ozn|x!injJ=U3Owyc|c*asCRdF{|TcA%gf7Slaa}8FW$ZH zOZ3lSflJ7qxk9q~N>lUBpI$S5{{C)E)h;n%i%G0uoIPvsT^2Buhkx(y&$2R}^r6Xx z1rvRJ8bGZ9W0C)JtcQ`mtOQ?gi}CU&-qR8i66)KcwJ3|a+${^o&CD29PxA!n(cEQ4 zC=~yvY97#Dp8zQNDM@QYFQonK&cE#sD*$c(siQ*<&|=9tv6)}Le(mb& zN=Qg(Y;64V=TF4Bk0c?_?f_FcY2M2<^eYwt4*modJsq9enwk_CJ8Lrsk~YrYJC_y3>SC6HBGy7k+)*H}u2asKe|g7x)vVpMK!E`WS> z?D4$M$mmq1f6lB6aPt98JTmL0;NTr~6_wKB;+Mt8Z-Rl{VgvuV+qk$m0CbicQ1{Gp z@MLQ&FE`gsoI#G^?c29C4EJAZYHG^L-T-rpi5YO;3yx<7&r9XEFE1|>qmGV_fP)5( zKR=%xxFx3lxFt&#!x>_i4i34fZI}c=wXC3NZ|A=K~ zXYaBS1aRbDf0Fp^6yTI3L6M+dhZjPef*G89?e_!EnEye;NMO+k3HL~DW!(W7IzC?O zU-v2UC^h)*b13>GBZEGyvt6~Eiln0#2rc1tgWtTlE!P5v4{x~@78Th`5WtlGamv(6 zd7~Cpz1bv9oPcQ~EuGaWS3G9y;^HzBLqeEjT|EuV2;7xxAtT0$Fy=pe%*hGZBtUtt zxs6R>ojfraz;~@-|Ar_t10v#Md{UBi{p@=7r_i7a0Un+x6S)_86GDQ50D2m%^d11J zLm;)1S%x%hfHMM2`Sj_x{QNFJ7l?=e*4%)Q#La)ILl8R$2LMv%U}t|nE63EkpO~09 zWK%u1wFXJpXVg$rTX#iyw*ZWo_xR_!`1g#Lw$C5!y8GDMm#P;fZt($->HkF^wkzuE z>jOgON`4Bjcb|=wHBJP$@O5?WN7=F=#=vd?1<0}2HW%`f#cW;t!tr0I^vY=mVhBg; z(vq2D_MN!@?R3va6ymb7c<%?0h7zLZ>}r8Oc#tF;BRnrve(GJMPB?jzWxHL z$}Q^qh7C|c36TZ{tS_tE9Bjm*@)ZLxwk#07!^Fu>Jp`oGBzep~2`e@uF zTc)r30)qZlz0Hf9i_ZZ2*w6=)Wos7Cq&nKu)3d!@(x>6AfG)(R5Cc95oucncQ9&dGqm7UMMS&-}$qb{e+(>bC!et1C zRa`agQA3dyGk;jjQsgMUiK zBBqK_NT@n7v3|))DSM#5|DCuNX4iiVRPz#yUJAtEQDqvR+?TZR)QqN1!22gIWPAdX zhvQaB2?)&-v9CBS7}1|?tG`Er5!Fo+`4`H z1+t5e5ygJ*-saC*Ex+&I=YGAGkofoxhv-Xgn|0$$0|NtKq>Py?_}I0KvAD9+{ck5( ze@T*wC?ikd{-C*A``vOa4zg%zW~H%_^kWUZh803{J%?l`Gu(HErQdf zjT-Zf)m5X)u^hJeJ!#X0^c&Z%ibVtkp_c<=Qp7??Sa@9T(SwA}C&YK}vOWIE;rIV~ zMsn^?98`x*F6B~j!b11&w;1u#f0bei=9?ghjfl`I9r5w;nX^&Re7=QUewUO~mxBxf zUyL*}3pn?n7@QfXj{L8*dYegSsAf&H)m}Tg%JH05~-eF4r^sCq&n4 zyowQDbY8Dtg_oF|md29cr*QIT=^8_YLqu4dkhl7#Qq}7mF;P(qhS%xgAt4akxV(#< zT{-Ihy9yEg{rzxqHAQlaT#6_spj}i;>+`xT{`z&Vjh&F2Is|&MkQRjq%BmMR9v&VL zJ6RG;xFX?n{xTgm7-o_F_Y!#d`K>Q5ZgwJ=sc(Eh%FB~HANy2Di>AdCQK`wic;Pl= zRHDe5rS}q^M6z6kd8oO){hfcH>rgc6SNLtDHn9H>YQ2q?m}5 zs;jD^t&Kg{pE7grE-x=TOiyr6t+gDK?cl9;`4jz9vj z4tQf|7DPNM7ltB0NXTslf#=mff8vZ-@V18x}_*k&px_fPe3kGcb6NQTuyp za?@$uWnRT>mbm&=KQU9BcmSGJBqJ@&#?B6}ZMm?%zMi4_cGZ865bg{QAKsjxDMXc| z{eVl?Vp#ushYlp{J^_Y*+dMpm9~YaB;oN0bz} z!q4~rE6#h2+CqpX@p(CN_v(zr6F6e)QjUD6cGw%7JLbO&pe^?nBW7OSlIrTQ>f~KG zw3|(I7L7|ZQQWyha7pLFB&W-E!f!!RPY|4AUDZaJ`gU06rPxl^_u<3Xajh8IVZdAv8IES1%<< zkB{Pd&wt!ru4Jn+@+9)0&G&!NcGVKHD&@ktiC!O*v*yRw-Bch|TLUF!4 z1Dlp(wSPky~rPXLUycXsAvXMhJAMXD|DF3=XNE zKHeg9LLZUYpKvk3Ot zz49GGBch~>1!QL?IAYX=FN~DnCbSsp)(syL=G=W zK1W5r82kn^9yz+Ovxy6#;YbZK@evZYjL({XM@OB2SHP}X@kmh6F&WY2=HW5(8_W9X z8Wdq#{?Hz>!8%cEL#u2d+EQ9f%p;oa=A-5|Sb%OLsJU6ReTWZ?h$u4}Du|7Z9UN4I z0OJ6mTF<~hsTS!hFF(NW;@UQ{2t7j%4eyx1z$sl)dpJUalw66Gq}=^wgc8|@=2cL@ zCzXorR{e(H9^?iC4C9IrPokq)pQ~8sh8cCrTE4MzB|fQ>|93)qs;|W@3^f zKTBoyL?DKZk+C5yj@xYs4!egWfFnZ_+g{N{R^j5}78`FojTGkLvF=@uilNC9ZV?y| zbJLsXFpT$DfTsdGfv5(}FN_q}I==$>4zY&{6^`H>Fjw%g4RWRxA|c}r;0e^@vOfWO z!9cb$)CW>R9X=nNVE=UA`rF-2a2UTPE zXe%qL_(5j98Vy#Wvj{e9cO?W){R>Fa$gqfb0|W2DVB%-C2iwBU?fg%Se@ES0f2nGd zvX?6JW$De*xRJxJW2*wFCznxLz*?YDaf&Wbf!%$W+H|=ewe^6N1lK`wWRodm&;F*H zpw%W(O)BXzcI$`o>x7D-k_3Cz{4vs%V^HYH{^!BPpFh8%?oA)k7JlUmoTi$ZnzT*a zed{!2)s~Gz!o$NuL-i?izhXV51f6~1kkO~Y4=gd4`W5GAAO)L!Eu(o0PE@D*Z3a>05Z$t9|Soc@+(1(-k%LpZwW=p@TC9P)5-a{7LpXWb_0c!udu zEApx8-Me>(ecDWzxsZ)^`!6o)1$iYV(mkZXrWeCB2PY4W9|B_H_bMvwfoNjeV|Y9~ zhLav>a6tNakCk<{x!9D>moiIcmcg;_xSyI3K`z)T1CbEGadk!deNZ=CURkmK>y1(S z2{t{XO@|5d;q~coAWw(<__`1l(f4NS1nQ-wr5Dsks?NUge<1-xH$jE>v5%l!(dR8799)7Z0sDRN0n?-}QZDU!x z$)warg_P+|;L3A^l|YQ!M!sCX zFJmtQL5JjGvx|yrkA58dtAVyke?C{4S9nMu^eA(H9gG$+DHDLalW|Y^UM&Y^sN01emt2M(D3y0 zgTRY=@|Nr>oW&tCR4T=({{y++B9uBH_5MGtKQ=p8*h2rLPoL_8)UmGOK=Jfjv-Q7* z14YF$n*XWmQ~R>z(&TnW>$3LEwY4Ws2_d<(8*f0_aC~#jCH}T3eDcb)Mk!2s2@dl*f+k-ew4R$7vbgOQ@D37QhZAEJ{~?-+E3x_hmPbp1)8*RBvk$W zpI`X4+(chb&E_n7gxYESbV7KrW-0M`u#UDa7SPz%v(&Bjq(;t6=$ovNLbM}SP#j%&RRBJV}%q5M( zIF=+5`rMUMqEo<=~o?IY>fK`F(A!v;{h#%z~YV%YDFn;n=^?T{>7KaEtl z2wQ0^@CM#kLa*uIMV#`)(Wi+Kb@iR?9!unL+A(A1jh78dDNh?V0BcsBW&Im-;o|tq zikhS2#E9ZWlxl7?{{iU*s>nb@Q#>A_%l~VxLOM=Cap*NnnzdXDq1wDWlP&M>2d8+>oke4)-BQYnQ}48c z+)+#2j}neF>Qrk@Fby2v&1t$-L4C0;*=sZHb3Sk}{c~Yl2>^9GF+%q4SJrNR5qsKZ z9aEF6Sw5497+AOaRbZtMm~=f`&9bvP#&Q2*nOzxiEH=6ney(2ZwD0t%3t6l+o`XQC z9xDz-xgwhe2dIAwV70H^pyzdc8|tHE({|w5ruGzp8{k5-Cfaxh7G8(p__7$Ch`7{!CwJc+QYM@2sYri*K z@Q&IjTWxV!dwe`}$*1xkWYkQ8OMB()9l2s-)-JAlEG){EHf#0^F}CaF3%$X|TS!*d zzXsJSIhBf2j=*V~uo*G_>9l&7qLLQQ`aN61cCB)E%Vk}7d+SmXd>+2DRZ9{(Th+EZ zm)MwMmML$PLXJvCR#)>L$Ccfb!a~dODtlk&;&PZg9;OwJw(NZTs1n$6ySL_WN!fIW zpjt6u4&(e;ro%-oI$Y41Egu+qX=s$AUK<<#g>Qd%cQWkfRt-jh3VRXnQ0K+_wwmDV z(u=gE)KY_7yPxZ=x<5>Wt){B+tF}GYDi>1YkS2H9O1nDjcE230Y#w7>X$fKm23>%9>0 znT}CuCQdspSD#lK0;6d`LAcQ6@52M2L{hcsJ6PbmKHvOx#NS$Nf4 zaC9AqDyX$w>Mv>fzb5@1e1{;Zs`X5Rf7R2s$d$^8o1Vj0!(f-%pfZ^|FFLM%XBk+a z5Zk}RO$v4H+S57q7XRY4DcTg|;gpBRZPltXz&{!4>-UscTK@fNX1g&iRr5TNH#vx! z9>%MC#&_6;%Fn*&nhI=Q4x`doxr|Gk6fr>;F}RAbN^URvmi1Mp9;<9fMA zQ9-WOM3p`F6(d$`2V>(km_2U9d7TCF3a~QtipQxi>#vMk41snhCb@$M@O;OWq-RT8 zewL+o+C=v$=}B+M_|`ZbZ8!Lkg1{bemnJ1()YJYz!Ih(e+HUd-Bz&trw=Yg6E~FcQ zBUmB0UiMXmfDj3$78V)`thQRZ$e9@|8bO=YvT1J?MRhoBfm#*`lczJ*P60q-t8qSg zSUOst^FC943|Kt;H%!Hr4XFn_?uTmX|*L!4-ztfl=hLCDqBoYmDY+hltM%DsQT*B5tg1$?KkU9m=^Wm{Ru z#KRUD|*ly;jCpE_tTKT6__%88M#Vx*OQ{PDO?2rG7MBITC`QO9@roNpFtwG7n zcDArpeU^)~tz8v5nmazZcvE7PZ4yyAlv_UkL&$NTrlmR5tG{#t>FDe%#PYPhTC2gk z>8|6AB?&2ubr374TC_0!vD*F#2t9w|dVvo-j%W$Fd@O(ou9%ztM#Rqww8oY0tSQp& zjF($3pb0kH7Pq#*-2fAC-W^8hkC!vq%O zjjBBlU5bo7?eRytsYcYkk@w_F-a9*(xB#20C@(*PX?&529kpIOx5xo2_D6W{Vu?X!e$HAaNT<`j`@}-!<(h&O~uhJU1zzcach-LU!@VkU*~2;9`l_}5BQDv zr&sTlM&FCE&4?O7g*v0MmHCq6G;FVNeL1eXPW^`(<{L8Hzhluy@fz2Qw#r};DyUi$ z@9FDqwy2M;0@WaR`+B=aFac-xMUiORqh>=@RjL{>K}kAEj2E;{?l|vO*4LRxI9!2kTuw$NkjH&-c=j<0>Zt=V0VMpqSH#ctgaXK=b5_2;9C%NGLL6_eC&l4mt(t&$ zJD=|*^)Fc+jZ)_++TkYURwGmQ{m{tXw*pd4v>JuUy!T-v>sOzI?>S8Ja?jhDbCd2w zNp>HM*-|s!(5x5sqR!^@EJ}4u;2GA9=%ab#YJk>y1PgA(J^JbkP9taXd;5kY-Nk{+ zMH3D-^UWaBC#RdgU)*?L1cTbMX2}bfu!;VSvcFrcm5s;FE)>lc`+V?_RVP`x%8ucN z_{gHwqZu9-L7l-eAr${^wv?O3l|`rp#5rw?TM-U%Pi=2CQHwEk#39gQ)okURY6Ui2 z3~yPMgO!6l0y#G(YU3oS&P319KDFg(@#^yy>-vK}8HAJ*v(t_m-3cgb@o({rTL4q! z9F3<_5Gn2BUqXSd=?`oDlRA(37~Ap3y_tnTQ{z4nK<;dwio~g!ZO%kJ5&U2|mf){Y zZC1ZkDuNl6+k2CKkl>wUaC;K|lg&%mY)f2)tSimjt9Y+-_{^?qKNni``4fE`!funsn!{Ov{qT2!h)47M7DmDKAR|Aw z#-VTAvdvb05@uxlUk4I(Zy!ghl**$<&phlsgatPyoA~T(YUYpW<8qvrbk>4BzLQR* zvy>WucI1gyKh93i2s&m3Dl>@t3Ul$gkAo)<0rVX?#XuScA(~eZUy0oEQP+^YO=$kv zZ57Raki7bqugXVLqV1l*kHn9|<}KC_CZ7++}O=2gg2+yYhh z%!8uSemR-I^~}uDO==Za?cchiR)JbLXF5=&hq{GRcu~=#>{nQ?+(TCyQn!s2x*ne% zReX(GeX@V_c~f}SV#kY}-EMCztd^R0>{waVICwzT#WUT_#GRP_$5QB*#=|Q(JyXr5 zjHry3OD`UC=Xeb!+xVJaV?Rchx%i+H{0>}^3O|IR4P;!R&e=ix3>+Q_5sBV07 z)-AEuRI3kgtAej_Dh`V?%I>6VmHsZsPQ*mc#YteI*m$e+;nU8F?DF3#_%Z_$$+3dA zYy#d{SoyP70z(WW6A&1jT~wLL6Dh?-$3<=SfWqtJn^seEH$zmkf$4!?p7eRPlFd}m zN>wkuCtnEd&Sk>5WSsKOKffv!#m@767*;o2E(Celt2UoMf8y~%QkU+H#}uu0;7axU zk1H4C`>4IvAFUHYY9NR$Nm73(blBo2LcKw*RYBFgsNpqPNSwUr6__KLrgt#lvw3fp3DU>-}xU=cP@`nAW1YrV2&y6Ht zs0uG&h5rT)<;2qn%|9qL$D3`_%m(an)~kd03TpP4q;#PQ7BQuhr}qSeU3sCNDJ9jB z+_D!qY{)N)f;Tz#4=ruQA-ndlJ8cBdx$2}pFVVTni=7W9o*&9k^9VUi`tFsg#wqje zPMjpTEb6$^4rsp8YK5NKTh4axa>6dQa_RFTU{g!FjG-&U= z<7AuDCc`K<`CIpTh737^`}`csP12VNjLIjFZI!I=6`s^CC+@`6TJDz~bUiuy)oyw& zuyYXJ^aw?A`!9QmiDPrkg7NaZ4X5Hf6Md5$!SeO(;F}b@_Yj)=EQn`uL_+U=bmAcE zvouRbyznDJaSmJRzu`u5b#FrF314WJfCWfvo2r|am1t_k+>#jYI&D6y5w6@Mi581V zd8tZ}e?leQUuVZb18^M@rEVv@=gmPM4Ir2atHYUaRD5>R(HiY)}QcSBR zc2@JZoABm^cI7)`)ff2h6uTdPRS~o1zDsU`Qg;!O<0gz%xJLCOQga>Pip#2SR05b= zzYk|Kj*9J=HDIgDAtQQErkhe!q;Bv`3P(R6Pe#y*pkq7XMoW}wP2@9gyrvzmYeiiw zkFS3HfhAJX!creg{zYaK*wvr!nae*3T+uEKM;GML?fkRr$y8?Ss1@nhPx}1()~FtK z)ZN3yA4zfRD=zFSHKnyf$HOiHvBGa1nA8ygNhGBfF$|EgPeTI5^MQxP8mmKR7Fe!v zuRJe~x?F-H12clJzVXm_eb;~B7-*+y(}!QKUbkap3vLXwOlo;=A;Tp0v4BPE(Km*J zD)X*bp=4*BWw&{k(-~@~qFYD?8%bhG+N=QMq;c`ZqZe8Nay}IVKBuCBdibFK0Oj&R z54!^O>ETcMxOL~WiK9D`wKIDc9rp9DjH9G!7QIN&!ZH!u(-)U*gYYTA+kJn9P&%%bt<;*EgH>QTy3u zLZ{CH?W6tACabp^DbPGa6Vb1)a}bbDz0R3=jt)HL4}_^QQt<{wPUUh82QE@)7Q7=B+Q^3Dgf{ofF+1b+z((B%0@a|KiF&(l<{0XU}cY<rGlEH*kMtYkY6oU+u2wa+IY7ntpCBfZ*62-_)x0Z)+MrKdspg>PgLK|j)j%I z`}8{1K&JX*xwZM=`8@C>8`@mS{Y8y=hf)`IE&X2gtDEI)EL*V;B`#fz56tM2pP9`9D$AO zZ95v1UzBcq)2fs=;ySO>qRg)`qCV8F7PMhe#llP{<3E!Qml`ncpr7>A+#5tW zUZs-VE2vy%er_EyuiHVydG!RJb~$g5Ct#@2J)`bUO++ugNA8S)b&!_O9L?uT0D+VpZD)% zuigvjave{3scfj$7z!W%9sL>?>o_Tb!t7O`I@CM2Y|8SdZg)968O#Rmi@@WG1}$1u zrtu89Y%EnSjp7y+*BhC+xndU)9rI90XvJ=t6`lQ46|Q*E%91M^jG@Fc`1fx^4ji3= zrrtzKW&UlY*s|_reJk`@FK**ikQfz?J^Py6tG28>AA#MgbNvf)dI72oip%s*G+8a2 ze{Q}2k^>*rNyS2U+5+Wax3%@7zWqd(=yZqEc+JmCz%5YpU`ve4&*c(glGh!*ocrsk zqDOK`Ma2&TGS?rH`HDBAwC;@ieavX@?{o~!l>M$+g-Jh+fXioeCkvr4nWQ=~ z(Shukk_oFegCg4grgFJ6l?ITTQWkX@Z^v{^)~|zSj|j5%{brqq#X^Q_DfeB~K&7vA zHKm4&bB~l&5zy3MN@c%TWU0%^{l-~OaJ}|6+J8pXSC98Y9Jj8tzW#kp3?gk?d42}@ zL7%bEi_KO6>Mzfh$cJ@R4axoc{hi=Y&M$P&~G-yDDckT0PvvCGqqJ z>LFiD(JHcX)tfXtTm5)cs%PSy^RNlX0;SMYmrhne(;WABgvmRck#t7pULp+h2Ls!|I z=qc4kNUo5{0IKJXpG%+p;ZEpv;fiTb8@`k8O|_$kUA6`nHjC}VA^3YT9VR2_0Jc^+a&IH z_cDCrxNniqOD?{^cITz8fL_|8(;!9(MO_=32-)v52~@%%3auFk9lX_R!f#*`{M(dx z61Gy^wq>g9k1SrCWLCyQ7ELz^7v=bp6#X~#>y?ze3Q>;ad2l8-?V(|MNhd)x3YW9%HNBK zTL>>-U)F~YKWd=|pnh5Y%SM~Y&vnFesX6~8ws3LcVk|?=iLjAHDWqqjnM}pdg+GyDamR+0CcIe zxcG5QC&()z8c#O_iN0L4?FFY%0PY7l9kt`{+_S%dj}s>lE110GESIygcMQGK;o)IF zKR<78oa}z?E6;Ndlw6j)OgjblKcZHsNrarW^j1z{R1hp*?xApB-(WFiub6r<@v-41 z!tp$(*VKh*d(2d%=0vJ_p%&|GGcAF7lp-~Z9^p4seo(L+bv}0R@EhsrOH<>&clK4#DJ;YGC>X6$3M3fxmCT8IGG?~DJ4!SW>$uvMV(P4N>|bh0E%bJG~zu``MnZ3PPBT`t>$PkY!b#x}_6WpN0w3@Ba{@!c)V6$3zM18WY zK0(z|;9@&_a^U82utHGmWF|9cJklB+ep)hltgZV%-L~Cq$mfUx8Huv+>*RM`_`L*quI?Hd@yIA>Co!9Nsp`0=B=NuMVxWz~Q!n^7-JZqD2 z7Ce|O4H5KrmOC3*NF}|<+;A+Bo~@YREQ*_@ux9)#AmL+jUR)ue*1skoZ+*72wy?UW z_sF_mCwe6ExHo5U14-Vx-6Nz~nk!SlUi->rDbheUEak+CM@XPhs5G8I0kzRZbs8bQ zAKcw7nFt?z<%8Wq`AH5+7NwCMI{Gw;m{I zx(Xa35O=~SpRX@PO`O#ov;E@&VrCXmp(lv@4(rBiMq@*>0#psJdU&tZZE++5pxU?k zA|&URrV%g2hxq`e)SY|_byM><>gu&REkUqXYo@-nF2_|g`dkWKVQXD3M4bs(E(CJ7 z?dukf@UGyzwqbjXJQ?uZK$0A{sA}38OWIhmx0X+yw`bzNWj0)qd+gUh^s{%1Q>(#j zJn=47nz0OB@Dei&9!W?@7@C+g+9(Cm*wLWSZo_JM*UwgZ;&6S*d7{Y)bizJ6gM9CG zrTfptF6=h+j|*G&z;k3;PZBYz5-dm7V4pZ|Jfjc&nVns%$STrk(3m@B!WY#6eIb}v zgtGs{*h#Wx_C3DvrLV0bO!!Hn|ECu^C7L66*FpbiB#oU>eIse0zgGc5|NfzE$#3f`fB++;C2l4oya)ZP!n99m|ICAm5#Jh-icr`FMFDWi|H*77*@ z;*`TU6F5k=k>kk2%xxEE4ZCf{^&^Ff@D(URT1d6?k1zktROM!I_S}2(;VQ-;B>eE7 zXspm-Q71H_ntc7D$$FJ}O~)nW!qpryR_I?%mzqwji*ov1xd>i)k2r#jvVSffrF0B@ zt}`OtEcLBn4@?=Vt}*0S$MPDRH6@hx$Rc0+vc)wObGZCN@5Vc+2~RgK=u8a_4Dj+> zCkcl&{18#PfOZru;h#|_x6FDN0J(l@zd?p=Rvs&-!s9q6^EOvtw31SCh^Q@T1L<9|UdC4i zxjgTWBx^9Z-C%%~f$AveUK`p$!;II^5-Ez9^@==8n zAUKNo{hgJMmK~4U_~uD&SmV$jsEbAY{21tyV_nXV+$whEFgTjM{kc9=b>JyfFmHq2>d|i^c-7|(~+MpE{bJy z%cDWG$lXir9+8m2h-SI#lbw*Q4;$t-?6#82XDfaC-rSW})3=n&1wiDKa5e9b;jABA z`I~+W`u!LrEFCH}rJm!z`n`~pw4RScz%Rl0i+NI&@>mwHnMJr%P2w-rM3g@vCA z!jpJk3STK)k!Os#P^>4u{+DaTn=hw)%k^SBaQ8@v({`euYP$fDx@vcStDsbc_!hgp zP_?t6pXT7T$U9`Kc35~%UoZ|Aiet#)eIC&eUTu5TR1krGQOCG>-M12YJ&=7(F({Js z&G6pt#k0H_8p(r&YxGtTM6R?yKhMT~0%@9k!&&-MuOGg44F`H2*D`z;Hr3K|at8dY z86-vH6eB1QPsozbY~ITU+D+3gQ&ize z!3vwp`D6|HnzUoMk03SobYH5~$4xJVqr8yg#w zp@NUlSxg>&#crK}$x?QmI3mb)ZTK7hBtGA$*;VTZhpo$>Y=c|ecDk9$`8%d*%dYc? zXSLKu7G^XWN#)2;%}KY<*%8KdE^H_8)3QkJEYpa2z}-tK&T8hx*_J1vq=>WQ@n-|n z==;omdR%;PI%hm?y)&Lu+;@G{mjOFTLzwGf(1UiVYwlC88aU8*zP$RG7gO;kPyk}^ ztTEYb!=S%gVUXnd9nYFo!AVt4-*nY8;r^6rkr~_pHuVOB9H&QnkW`HBH+@|qVffzT zTjOYA+BTc|(O;|AX7s2++_oUn@mrQ#D?Qd-1i%-KtLf@HW%!D%XJLJWs@=M1Km`!^etg zbw0mjh86}5Px-lt?*zNKxg8%n2%Dgl-+?r{T+u4b+${GV=BitE9zk;$$eVWwc058> zbc>D=em`v2J8}){%ZqJ}K|%M_NcRa>2w8-$nES(-^>*@H>lGNZY+=%-?2%qf6}}wz zrjcbPMzhUM=MP~!dF|`4U>wNe6WiZM>&|jL+a%25HnJz}D5xLQ_2n+#WNYO2!q5)8 z|Mj?v%Z+^UPXMQyHsk*sCjiNWBhmKLktC<)#FmfpG~N`0niZ89=ai(=7J6jeQIUXD zPzVqq5c2A&3evcI`G<~Ygv4i22ST->HkO3wdoqKJ^+E6DJZ5G?UrAw@nwXH33){dp z^}Zsf{}EL+S9;-uqPSRdWci~}uC}xLtd9{j$5*oC`%)w}^>TX}lZG34IsZR*spYfI zf5H*79Rtr!7XB{kLl}01b?W;pncjA_*Y}zhAGz+K?FM*NK`fxGs~y8f3K!AOjk5Uf{{C9z&s- zbl;QLehRsVv8ldkF&jXw>?vLs(PrmKM_;U^dH;sn%e*^L5fQ4%Dj3(ZWRRjf%K=8T zEqTHlj9Qc2;i@*|p@iBIK|dn!>9wS82^Mhj4!xAR!%R3U!g(OYH}=9_eI@uAUEI9{ zp1>6ovl-?{Cb7{1$9kJ8LWiv=O~G-=s!cD7T-Eb9!M7V@g?X#qwW4aL0&}c^3qpj2 z=j?=})#<$2@)x{GDwTI^E+rq5;XVGIpLbi>42tX1SAA7ZuWRR%UjB9aX`Hr|%@luWxwBd z$Kq&o(IPEple~f+EG!FOiEnFT$;rx5FVx>T>soz${>^*Rd9LDYVk30iDmC;UxSaB<%XM-P2Dm!!1K$y%wQ zlnf6HC|&L&{qVq0AxrSU-+#<$SMDPaDaZ0Jz7{yw-is)dHGM#}Ew)z^a1Z7~H9pG2 zFzjPSn?FBp_gWkEdH^I+QQaP^vjxZG>(Um^{xp6_I`JNb;2wxm^@62_b%JLj6kaRd zfB0~2%_+x$G`CeTq_0eXY>hzd8^D%;v*J5P(iHTb0%?8m-2)*%0GLlIQ>S;xrVZTr zhkv8mx(u8@()_t)bD3xGz9yAVUdC#AR+m6!9^rrvro@|iCdVb?*Znw*ieblWD}78+ z*S6hOIod$JBqnL#J@gWc6DFn=1UFO84d{&r)qw zEcg5jKE*n^j1~jeJ}ir z1%^nn(gWMrS~EmG+T17AVxKcAaCN?4*ZuC(w*xN!yw1w>Uo5gxm>6?+%P3b`5&DtG zRomuOKlja<*UZG~84g=uvb~_NP*6}%4z$B`&lVwPMqZ2Ql-2sV{G(K-YYer1;qQF} z%e>RQFn|#H2yrL2_yOMrtBlb{#f&c**GTK)rW!Zjh(t;8+#;9DlI>*SA^&*0Am`I% z+27FyS+aP(hHCfC|LT%HOmF?e@_Mi#A_ec80ja6^du@Yma1H-+j7H;`>@mN6ax_Ny zWwN_Wbwi+iZ!uc+8#$sTZ`xWYzc4RTXIWD10Son6tLt8V7cYu9N@86tZhOR%=*LJjA&bk=g^_*C z$K%H`Oe5hL6B8D@?(KAjpUn5nl*Vc!F%Vwgzrz4tI_Xi8wdSi%Hk4z}T+HJ)%9U1o zjp~TJlRu=db5M6r=AptjlG9rF*!mmd2?aj~r~&@nWxzltcE1&zlA=9S6Bm85anX<1 z)aq$`_{W5c(Af6UOp}GG=Di0QdIri?Gyc5Q76nH=3O;=5KQ_`)^TBX0kbkp-$;kC8TIEe$ELx;?mJ_3ig~CZ*nCHTrKA6qQU&3|Opq z7rnh3cDy{r2JtZj5$s^HK2-Tt3wosHwSEKANv>mRm z)TS~lba%mWddk^@3RWb=?tJfz*P|8 zbbucKh3>yY#(+jp`Tyb-#B!J;Z;_HJsH>Ykx|8us7$;&wqjm^gxi-ZUyImjRP%$p0fbb?c29V zNhXiqwBdEQx{RP!Dkyln^GfqZQAvsDix+xh53q>7q6bdh?#@<7uS?ybSVrxE%o|N* zf+2A{ik=+wE$O#!-ySsj=X!9MTF5^iY-wwQo(FK8s9~y?7-s7aTgomfgpG$EiJI%` zGV}I=Ajl3lJ*zf?Iq8q#0(2OqoI_b_Cc@j>6;Y*TMCAEn#z^aOMZSsxSnr0FfVeRL z6pGLHwD@1)DI+zg=|KSr(yJA@i7!UK^&UY|WdL*j#PB{~AQVR0>04z$^issm>Wg!# zGs<2IdeKBFNqUzewlZB9=!b!KXmUvkVkQvN5~n)-V7%Ql zL;)ZkEWu1b+!%qS9?h++tOThJ9i8he2D486gNF~T1!8XKc1U63Yc!e~8722&x$kBV zw7GI<`ika6IrQ*0f+#)qzLCcw(XfP~BAJ2Qn;!Jd1gFI@AT%FNXaXhrbu8YLk)^J| z!NJwlRnSR-q6ib0B%m}UEe*e{!TI+7ouHm#?!n!ezX)U>o+v|kohRt^jVj<@gI-fK z`>&X8Zk=yR3@A)Di9_~OCk%bbL?j^&{J|DT@y z0eajZnX2GX=#uEmmmvEDDTcL`6{|`a!BJYO$g*9pA2a+2xwRnZ9OHNlNtl$Y?DCJl zn;ZD+UIMmI_c9E@Hn+7=%ydP~SU*7%h^P)i!oo^QN)rE|(PW8lIMtfyL6pcfLi?wo zsY#I1@1+k3ZClT{^S27EvVSE1g@quggC%^ks_SgBZnoxo8{j_hQKw~8`9AJUql8K^GG<48_RB82RSz&cw(FB0FuK?F5i^0xx6?V{d#_ zXHK|P&;;;!1sS1#0&6|k;gh8bWG z%LVozy~L7pLzj%TB3?w|1-i6nwEHb5@>u&gf-cTOE{o$x;|>=^K_a*}unjPNa7FNo z8`^;`z{rRh{QliLPZ$6Q4+tP|gG+ytupT_C%eqZY{sDL{c3acn82Uch7zkZdob$Dci{G%3Yofs&Q>E=P0 zzcbG1at{Lo13^s)FAHuk<+$^mL1@^d?&Oya$R|OD1G_aS3P<>Qp@_9LPvO^S(_65a zpiKNX=0hP+fdggPA3T8VWT3APO-5PMZl<2Rk9T1lx zF$WkU_?Coji~C^LfK9U|j+U2+Fvz<-Pm>Q=vihfcdwZbO8WygLLPH^3RP(i7Dk=Sd zus!}-Pft%@KcjCcBu?ZiQEF&aRn_|XI+zkbjk>-$*lkdIWyVeS_4Nt4B!MyefH7~r zm;Ksa++NmRCs_@9U9TQy;78W>+uPg0OtWJ-QZ$(QHLR>2k=w|~$T&I*4)p9}t6gnv z(%^t;b568FxrMRuHA1FH%$$*l$>8PlU%%cx|Gc~mz?r5U>P8REhG(C=h#Ht!2;Y?V6Y&J$;?zPF&a8O+5r|6h%gyOqLetK%*;5%p_WNx zldqI*!POw4F$rD_H2Uup6bxUwPEyhQ0u~e+7-n3T`$iWZJY(P}(0@b{q+<>b4C=706s!-j9GG$k?-CedXrTES?1NP?@2Saqg4D3Z#YJ$`;Pn6+B^VI` z<_d%Gjo&FikpBDkZ=u`Eu+u=$$ReKwwGH?#T!vV#7ibH(1ulV>l$J(g2P|l>#Q%Zx5*tq` za8g}k8t^7Cb_h=fdU|^;y-y3E%LY?}afK|%gZTLsM@0xuiNQ(G=y42PwHE=(*O-Yq zXjWh_qWLbkvrnDT8Sif~VcvLl4BPnc(2zKieSi=^Yo(QX9yb_2f#&{w zeYo`)STyjP#o{Z#76;%(D=Sk_Q23M=Q~d_m-k<*No}M}k<41Rfc4t*xY5tK}KO?)6 z>hkWjg+)Pw)`v1PTJQXt8ewK;G2~K=&Z~xgDX)llnDqos(g>|2-3<>|QTRrHJw-!3 zzHM%rdHjB(rj}!jdwzvGt3^kt+QAy+{OHK}JmzWt*jTk*PvYsR)A)2tCC0OVRMoC# zHeg}mtj)KecsT?_Hd$Gk3liZLjVqO7H4rf2x0Q1^Zqq&lTHkv7s%=Nf3cbt5DoBz)G}-P>CL_XGqr zgA91DG-udE)78t{`z=basJIvsJj0awpw0LF3@4D7$Cjxo zQGD2-X(uHmg{$WvZB+&yXWW7eQ$j*Q@~~Y^Sp`SJq(1QGmaGg$T-im+x>xpK(>}M> z)zQ&QG0_y}x$_-NjG>cz#303$1_KC^n9syk5R~g*D{07>WH& zy0fi~J~(NiWx0E^cPdx}s>QGjfZb9_WR)cN^B3%nUAcsnmsg(UmJ?CE1wbHS_dwfq zqvhMJe&#&D&RuZ?p}ohj8UY3Z5`P-38BrCL=pm!^rKJxwPWC`u1fjOeT^25jX_|cc zY#`^V7wCus`^Te;grpJ68we&-%fLN_An8jD&K?3RY~A6KNkamUzmLNq8q-t>l~1W) z?}1r=Yzr$cDM?LDH4wyjhGq1>2v;+JsuYqNk$(5?wo;6nHe9g>xmwZZlKU(y6qQ!g zV_P>GyM`0AfprL?X_&sQ2LuA75`OuaO?FS%AelTZPfT=u@#OJi`+ij+KXg`FS33Nx z5Xcs=_4G%6&(u(LL5|IxXcHnUBOxK@;teJUNW&VcWnkG5$%L`1kN5XK0`!7$)BmTk z?~doX|H39jC3{t7R#HeJgpBM&DUp#WMvb{c&@MR z^?P2g=a0u9?(Wy!{r!AD?{Us`u5-?HL@3)ERPmSbA;8lR)cjKeOTg3jT>^NZnaR)p zG&6G&34x9h_nZ$GV0F2Kcf5{f9hfPYZg+ukQ>DQ&hdMzUE&jm8fO$ug%6zsWX8qS! z+nxhSjt-aMv+R4dtgL=uM`YX?Vt%_EAz=5wi9JaPadEhCC8(A1t+@VDq=0QK@a9d( zWJL(-(d81PHP~!+bTy1X_3Pg+2=z-}ksWC!yO38$@-N$>d3SMlLPW&PXqD-g8tFX2 z^k~wC)iPT_%!T5AbQgweC2-pH0am=WY=^%cH8cIe*@LeRo!QscZ<&uq(r=}sql2J_ zUWUOX@!0Of@>2_2T2aw#`T2#tR6L;3S6O))|1|=xG|fggnvy0uBXMzZU%jGz4LLz} z1_uAH_KDvpxP6Urw&xF~X+^RpP>i%;1>y<|3ZfYd1sVPCE3&kXIuR~HE_`HrMOx?v zbA=(fC>fYsf9^*S9C3QpdHi!*Yb$~Ti{GU3Gy!PR2Ikp(WvfSaMuzoJZA3}3%bplX zN4}2GwAz{7JUl!S60Xn?1cud?+1D*S*^~&EffA4X!otiSgn}PJ^6BSKmlNz7d~PI^ zKjAt47;QM}V!4`Re-GHQivBMJ_S_2x^7Bs6fJ-3Y4v_`_fPgWlqUGgf$YVfg;gLIy z+=%8vSn(M(7Ls{0lzlil&Hu zbHk11ykIN#?bDnrV;63km{Ce~^to^|$Ba$er&RUh*UXB6bIc+G3{qpwh-Fwy6mVfk$ zjg9!uy8sxe#~maWSzx+FV>EBMtQO}S{vJ`efRGSV&Q@O$Cc-B69Ymxs>QodE5P(et8v`y~ciqn7h6t5fJ&X{l$-{!|0vOII_*az4ZR9rwR%vs7v zNr^NjY(?qFRzkCA!X0>M>(>Ubr3l`JYH#ZJ(E~SO_7X+6?5RmZ#?3eC6v>55%8rPN zo)n~evh#5%v&R~MVj{Gz|JiLawI+|2a zI1|vP#Ho`k6cM#@B^B3^faATtT8Wb$sY#DDi6oV1vV{oMd}@ak(+8pXn+5*r_; zgZmcRW)l>Ob3sF-6k{JG>obRLd}7MpT4fHzXkt+w($ixMW+|He%|*TNFtrCL^<22jC}li{g>zE zQPqEjN0UrF4cAAKm1@vcP3^X4Qp3?FREJ_8K8)5@0t^>vChR2_C+Du5v-<|m0+K3< z;>f0@?Qwoqaz@cEs7THc=Ize_I+-A?lWnxLOiTe&ZSC!ltJG*GJA7CX4pd)1CU3u{ zRPfurzCP>#6y*_yUJU9Nx)vjDy|X{W)KWAit)r>wO|cmT9xA!<(3iJDL-~isMn=w- zxY=X!+S~I--D@AuvMUH*GBbnL_cOUq*yXKTw%orq7Y9vfa2*Kei?rCuXu7_yOM@)X(# z1)Iiz9}xbl_(X<>-z$Z7PqN%Gm3YSG+I~CEue6DSS!vp8rZWCN5?jlQ7k%=Eo&*z- zlCc21wY5dW$3t{A?B;`B#B8eb;GuA34$^9;O-z#9tRsVzG9x2nYwkvbL^nh#AMHi3 z1vDcBkjc*R2ZCkr9j|6I<9PWt}K;q`=VLeg+jz z^Bywe2G3|%IGNL*KabOTiZy1Mhq`jfay*6#eWQBq1Q_Yr%t*fc%>++HWRInIf#}t0v=B|HoV0NP`d|6 z7gGqdX$_wBO{H<>nAOlJ-^D39LMicH()23i44`m&;DCL#M%qg)=vBg|zx9FL1yfz2 z<^eCQwsCmh9liH(&~eZO7$DWvr5K93a()Bw&Pf9jaNU%;Nr4`Z zd7LunT0x1rhqqsYhSV1NCNT3a?`3{?|NfBzA`@WdE?fvhL(O;0jEubb1=L&U0I%~i zm~|}(Qe2-WH+z8bBU?RVY#d_Hq)sNsyJycW`R1M;L>%;6UQyH-ojv=dqeI`sBr!5l zd@w_b0f_`~+u#Xs_72d&GZJFiJ{iJ!mOm_QW?QZ0pH|TyE$1V<{2ZQ#lKMbs?Sox; z#a^6-@SGUHnqtGwf{0QFq7Wfz%|NA$X5VX5M;0d+@h7sJiDEo)U zLJ{qIx0Lem^FtDf`)hM@8bgt)kQ&Q_>S|TUkL7pjI5`+s2*dD$hT}D~z+yl0FEY-u zB``7Os!3X0+#v-MPO!()kObgtLB7n*$+F6{pGP1V+(BWi$n%8DNf`M9;9*(4uEL>#(f-u%oZ_wIqd`UwOxdS}jv zi;3ZzhR&xd_qtU2f?C(fR}@1D6a1=9{*mCKcw$v)Arx|lYnziEl90$zpkeO{`84+h zg9kEkrJ$`D=J>*|a|hcW0vX?LX29hy>Da%x;9@q18IU(A%~<-wwmnD0j_98^FxYt$ zkyC=Ia9ar2`;tPo>_Kom_)wrPd|z6bpiD@?zx~)L{}E9#gjZpnD1W8**-=8U9#7d} zBz;)2p%?Sa)OC4NEX_qeQE|4mofslD_Ah#S-fmU5C!cLI1942XUjls3j%GR0d2921 z|14isXeU95PM)T6`|K=ELaA||h)8=^hi zzkeshJQK>PU&yk^q;Uy!lk@fm(;vKC2URG@6!P_eJ*PWC!S}UHwrO3d56*3qsA(W$ z<4wXP35R+!u%-g1ic%U@e)n-TUWD`xj*bukAsp&}W)cX{n>9lF6?lP{mlw>IQt_t! zI=BxlEvFDu=eI6P5h{1Jw2TqfUo;VmC+-w@o?A9xy_B0SERDpg8ug>m+^G3M0 z`zx`|{n*%`d`uuoFODbUAlq^K%sv5u=DeG)qgKyw<`2+-kH`iP6Q2?s?67cLptq z9}wayv?ua;BLOoLK+og5=tsL_iqd6f_*II(hldALBqv5jUY^~Da0g2aP*+)1MGv`w zbGQJwqXg&L*Ro+3qOGc>+Z2P@s8nzZjf~0?z? zwec`}ghR z5y1MGACn0Zx_8VIT5h7D==HD-X(`JEFKo&=Y(w4LByX-YQDegpzQIs;G-Br=>f=xhgVB?CxNKN>wd0<%W?wwSY9Q&n{ju)T!^Cwa!RX9srPMN9#X?}kf| z^r#!iuVv{=q7JjO*S(q8vQu%hU%k>1npxOl*NO-Yx6XPSH*r$th4UI3AMce%(r+F$ ztyDO6?B;Tt_seLQ_i1W^BjnTZMdird}SCB1hs zGDgJ2TzPf2)%ypK1u@HZa2Ko_k6a>xeFAi-sdg_RhTqUAhqdykfs%WmTc^=aID_xxN}tOvMeP?zDP4f`ike}Fn39H$B- zX?qBJ%4uSF!123gsc|nSHd4VSD<)EEH*5W9=>@J+6_VIZmIW@n+Y zM53S7eh}KbrF#gPsNf!OsqK~!jlYqU;HMzWt-#Us+7&LjWB=DS$a!~8xD?lz)gps~ z+J@lZ`KfbVHQy1OjCpcJ=rty9^S5G80qQzG1HoALp9PC=RO8UbM^MS%Pw7WDHsTmt zAE1r7JtRVm_5$vN#2rR?Y*9SdiHFgsZdiqB`g_k(OU9TM!Bb%XL@w)=14TkoQV-|# z(uYGiTWfx+jl(3j=8UYY8R*xsF*657V*|WQe%095V%!WUc&b3fPNo1~V~5rA#v5f7 zsPj~mR~?XEg@9qrpOZ(6A&lw#&dTk$u03uf{s6DWOSEG zSU_NhohgNa3>Vki^CDj+ege*5E`__4AMPc=+>-hbBnLqo6OK#O$QKxCz;D!TeENn| zd-=*1P`{Y%lulla^TE%@x4alZW|4p>3oG(Vzh9eK!~$kQ-v?Bu3RqTf-RFnb;{$~G#s4>kGdMv$HSsSr^jYP*&3V$1}&{FWcxx-mq+{5sW7dlyQUZQ-tk;FiHMB+X62yqjtHS_gDS*U zp_z=R0dXElrtHx)EE*>Ie4{gv0dxGO^*-O7_ul;h>2J>REfVnzY-5N9O4Lp1>o3(VGsoAqPCk+hL8^KIb zyS?1xX`X@H_{M$lr-=6VPX_?u7j|n#T zRv05&$+SUZ;Vb({`4zWP~K|%{tKoO z9DPiZ(&H?@wUib(?RJsh6S(~Y2b$&B-MA=xMK&rO@VG{trZ(X#JR@TbZ2&%i+6%&y zvU@LMI*s;D*bFa$TotVR2@R@NhOgO#!8i}ROKt@PjgOALt$981<~;7LoIb=G729p+w96QEsl&oAMWc9TX{lE}w{OTA&)$*DT#F4URi*!9078m&OtQrdW@&H#mTO7lpOB54wa z3RI71?<_;GMs34R3sfb(0dXkk$>{F;8+U)3bdmzsfguoTtFSiSy zADMx)K2}#l{JQn$FDhV|9P`HSg3iQ$eNn4?vK$TO5k5N0@O{583#&i()%>yn90vDR>A6 zkdNWdGg9ex?6^GwgYmj^!fa*4INL|Pb^oLRukhw)K=75O>E+oNk-%DLJ1RjH&7FUC zAAnz(v+cW97?;+TmWuSe3D-VK90^!_3g@RS080s&kL9&1Nfty1%9watfp5HKHqpb9 zB>r_k4#6EHdD0S%xB!G)7mKY&h*N4vCOwU5Y8q(PXA~Ov}s3IcGxc$@_kQR3fU=y zDZn)mN(XRm1eCkCT8gkVk*K;lKXbu1UF`i9QZ2uj+%`Twe!q-R`0(sm^)BmtS9(T9 zY}5~P6g|QmaDIJlE$1r?5M1-9Vh55#J6y*osfK{zF%9EJP1^etgSKRZ z#oe*7xW4(1*cIUl(6Y2FkOdR-=n+vp4IA6U>ms&hc3Rr|QBio;DpT;gaE_hmmJPhi zf=Y$(ax+(I8%gs9*19osxeVYUk%GF*IWVvHz>_|smjM6krSGK}FN<3G*=9K4w~`OkIXAAPk4EFI6L1g1a{ugba0pjp+@tntdkK-fa|H8qO+amy}Owik0Lkf zf&x>UZ1M;0d7b(tCx<5r|FNBY)L^upK6%2#$XMtky_?h?_j!<4j%D|+!_}~&z$#R9 zYH{)L6E_#{a1V}1QHj1;f54W1#nSR%Y`w8_X~6LLV$|sXN*^Mm98jFs79jv*&9JFA zg!r2be;%%ZKk-HwL9?r#WvzI*p^T?G!r;*^9pO>ZRPRZ3P(Ag*y1@=7Y4@wi~FK zCTyFW&a%?e7GP3N9gH{3PD``EwpqLsXrEw3K)&-iOLN1Gq?E%3Q-vc^qM{gJixfeM z0m<~1{*lgxh6ZG{dW$G~oI5|nBsN%H-MVdC^Msp0?|8pHB&+8#rg#w;VYV*8eXnqc z1s8oV8vTiNLao<@%U7L0qHAMWmLxbu9VLekIC4>DBl!|lbjGFATEB0TM7?3X-qd!d zgxwz_TXc~z3cR~dSV%}YY(TXjY?)rk%XqaevlMS3KTS|X#9I+7;Rgk9%@#_fd%7`? zjz-ery8uItcb0Jg8q29Z?Ls;3_U%Jys9V~E3kJN3(nzl%Q%_bNJFr+)UV$_Kg6YlT-|66Nv{4_STRGleZEPS0Mj+qGqZ_-4DhEc*~Jzk5Gv9RmP~I z`h=aonvvrEhN?ju@n%% zm*1g3%-1zsBqoAy)z~7)e3p}Q5W@_rRi1eEVASXrs*oE|yQ`ywP0CPSuni@QVip&tA_Q>GkQDi5OO-MbaiCk~{@CV-$u;l^LjCzMAMswD_HiL`TFaMbt4 zRk@wRFsg;v!&%hUUQh4GT;UkeJ#+ZQTN2ibJYfA&gz`ZS#yud3K0Ht8t>8Cl+LkDy zq6gQ6KuaJg#A5g`EUbPN6NQ`7?{K;AM{%fGT>l*EcOCM=T+yKTP$-M9mF{V4j|e@c z?p#+J$)HZeSjZ)8tZM8^@e70^ntYfl&89*J>=v#*7qi zE6nD=w{O!Ggq!${Pe#W3IeW;Se| zAwIw92~M8skCPYK*)#!;1f@~%7D5pyFKiuOz)`R0UO!?yJ*xT|VZS(}VUyK>)*|h9@J-D~$M*l5AmsY4=zZVY$|wSfw0((zhW7#s~Y zXiTF05MGReFjJTC&x@Px2D%(qQSLgiR#jOEXOmP1pI=>#p%5?9(^EX{lTf;_VV7F)lk&&Qra1^d0!gve$-0Zakoewk*usg#4r+9Qc%auBt7f(x`bnh=E~ zgxb?v9Kj|AAtP5?f@6Wq9@2-SKT(T)X7jo;3N3tTIRDsj|1G3!ER2jdtx(Wc?YwZ* z))?(VSTH5S>vwY%*HAc{oH*ek{XiH~T9Vg?wk2iSkg95FB`Aza?;c4*8*_S_)ah~q z?p9E*0y=h{ehsrN-N!@%ac8dPSpLdIB8ow!)_RCJ^fJ$hAEXI}m<;7!?il`G; zR3v$VI*!Y18ikqup+P~hD=Bn1ksITf2yxLf&I+1g96B|e zcsMcQ;X{M@)tnJ{IQ~iMVMCu9FpecF%|pm-AV9{+3-gJ0M`@ie_-9(jCL`sPS1(=! zYgN#XNN{+QUMD<)_OAsLQ0%tOWZ!!R>S5Ou^V83DHHR5Io*{&bz&?ohU5dM{#7{J_ zH6uj$gEzfWknqfC{rxB(oG|~d69calY;1&TkuBzGZmZczRdL~!wvYn&a(Nbr?-M*? zv2zlgRC?u5*6~*g08_m0oULCxEkkx~UZ7*#`^uvczldd)?H=4)xxD1Xc^&XUy zTKWuL9szThi}_)W@c8(<$1#W#U=&hjl^;lv0w1_`Rhi&$cm1(VzRWi=6~FQE^N%}8 zp~ocC<>v*lomJyZuJ3)Y9TO;7H&B)U(HlG^+|T+Hliaehh6OR^?&{+n;wntmwGmxi z?<}6ne?sMSW5B0E#KTC64+2Co7$5oweBrA)BNqEWm{f| z=lG`&8TlEX)iX3KGmLEFpTEv`{GHqK^|Nead}pESB=urM+-=zfHzCQR{9}uAas2Rw zlC}>jgs;^{PLF$4#I48=&3p7paCr-T5K0mnS5BE(TP^hi>dg*pL_|LPqk`@Ncg;~t z6BY*U|0xm3tD;}CFL=hU6O$+hvzX>|n7u$UO6GJsX2YWND^e2)frT*Y%hc>g3SPd{ z-dm(sZmQLA7440~^yIT$kH5^#&B-M7?CRyCAac{bKTbr{CBY;5xRIBvKE8Z2KieMp zJyG53w>-<}2F6zPRp(GIg5|1J z?oOx%zAC{!OO|{sL2w&vE6u|s#H1|4to@nVWewh3oX_rSgtCuecsPfBuobCF;IVC9Vmfm9tZ&@4fS}Q>Z^idlaTj4ZQ6Q zigPIpm%CA8_TU!+I#eb)=wp&&l910PytWTpV*?S<(j6R&K4LDey)kS+j%c~Tyr&O) z-1pV&=gk@z?~t)AiMq(EbSXrsI6SWo5E2HfR;z4!g{L?e4QCik$u4Gb&p~ktEMYoe zK~@%68kvZ32Rh|Y_Wg|t3HLQ4o%1_ou6*JV_=yN%vZRWbh=>|z_B14&5G!6K?#?6 zT{PE>a7Dx}4}C;#e_BqEu?*F9I)DEB>C5PQ{acp1kldC*^q=#k1j zoSh>tA@$7tO2+DoNLUR6Ity`(6B84|!swA=usr>9s@EjB^wFd9;9@_OCNM`vbQbMH zf%-a zk)>1}a!M8vx9RgK%`D8!7>dT%jAJ+ctI}a=IGvn|m4$)9X*mBat|#f{&9$<0D=5lD zh=<(SgYi>OH1AL6byzi*q5g>D&{f0>#wfR0ni*iD3Uu%@{;pLU;rY@agPu>*uFw!b zqV~xoHXE!7-5B_8LP0D2ZmRRl2eAt0CSe=#fgr(j?^spF=2bE~_rf>yjz@o=5zuldDKZ&7v%*XWdge;r?p!@P;j zn>X*I47ks&qJGD-C&d^AH#liEeV7FRGFB~I-9`P2%3Bqbo@_GKI*;q-P$@mS=DE7b zG53JVuD^aQ^s)9(QWL$YXqcm2gg46X?C$D1g5*X`7(Zg-S~&)ufrw>)ArL2sP-|~* zCVIm>C`Ck6aH;wpm%zGPuNy95hgBq_vECG)IFw;5xC4`<^Yfazz%KFOp zq4kx-QI6he!|k2Udp{XHVRa7#E6OJAf?`Nl2wtV@WkoLF&z@sx^h;7{~&fWX-<37fi)A7fFp5wLw%!nNhmD3fa)Lk_SWHEXCX0Z4mLo6v8J zSsz_!cSX6pPyf4{pfK>1+S2MFj248c&a>?;^IV)niF&PAdfV5Y9wF+>kTF7zl|4F` z5r{Xe>hssHdsQ$H_|jzQ|E}4KE9|e3HHFfN}o$}=u^A1GhX zpGmQm(Nkev<4JyDAUR8QvigL~f-Z*6z?o689-fB4mYO(+q=OmykcQ$*3V}2jk$`?& z3guY4rD;>Ok=ykA2~y7L@6PV^fT5+EMr%>Q@A^4@t+=xVcBZgi7H*}VXQgjrGl?YxZ-#pPAudRn9iKD`U}j*bK8}PgYA^4pc%md5gXaJ5w_=w~ zxwLd6C{jYUcW$UYNN&w=W>PQUqF%|zNK3h{rOw`6Lf$D>lFKo#yowwK*~G2C@;uvT zx`K&2u5avrDh4*gL^QpuIz)9U@SeD|kMqBQ>V8vlFc3{!x(qyi8}t8 z9a0HpXOpmr^IvU!b_x?8c{(pCfY+b|^BGRw5;3RvKL_y3{ILM$o*?&y96ytul9iTT zzWCMbM+3`08-30$&zM+c8FhFK1q^zu{x%^ipMAD3fFvrIwHnx ziZ1HZPFc&2mqzCGfwGcIAE*<1Rtje)#v`6)nXIg3NoV$`9&vG>ODu~pO!Qv+m_#lc z&g=GZywdmNr7kw)NRh|lv1viGQ+BqYP*hiOYw-&WPxN2|sp&_ZyHq@%_k&X}9GD1)HIeuvFnrJW4 zP+vV&S$Rk?&smABz^QL;SK``|$q;{*Zkh8?#ngJyT#oI4$uEnRa&O0h;qpc)NAKx` zZP_eL)^}8Y4|%p0UxZ=7dJC7%pF}%TZf^GJD2!OSh)b3rQM$zdQt?dsAg8T*;Wz|3B|^5vT7iyY;4L&E7oURSyo*ODFEdzZ(mvfJg@ z=Bsi-ZLS^6O%>n!J)!(orlRsw=mGfqljd~1uxk4-_h7C1K6k{p%#DBj(DOo@`q=Qi zW!=wn5+xcZTk@J>($`-0zm`AOD?V}9vctP!x@)v=SW9I}in(y$N1u6*xQ!fr@$kyD z^%SY~H9@!UcPOf|W-N!-{Ql=dYtl6hoJGAC^Lu#9W;*T_Rgokfo-Mx1FBaKr>*hUD z7f~sur@LrOR6g||f47?c-9hk&pw{6$p8=z9V~IPAOMkcun(X|t_I!Ev{i`>TYyl5; z(B8hH^ZlI3rl)?xg5LmE7zwKvn_zfiB-L{xN(Kgxdk2wz<>_;9|>*=XN2a`hSb|3o$=YR1P zK8-z2F|+q?c=H#~`K;mC>L_C!?EcljaZY|pG~3O%btxdNqci#Y0 z*F13M6tl68>tR+PJd{sHOF2IeFMJ^Z9w|3B7`}zzEXo{)YEjXSPQ2Pmv^2p@p}GViMO}6qkZNAE;qbFn3C|meNM&QpN4T* z!3H^mF?b@w_TzI`*S^yxC|Gp)@dfpus=0D&O9KvlnBOBKS67DK#AhBIrYPE`BeZT_ zi-4zhqTRqeun(!07nUw&1=uXTD`v42-|_UtHp^ls&w*u2+JV?`lA;$-PdV8&_s#wE z=?JsDL09zRS=kpFqR|QE`ZIXn)W*l1sAS-2z7z=l?59?CtS&*IK&k8p=UWpUodcdf zt)6*Hmc+_Ue`W&;Ix2zVK$NCkzi{hCcK=++=6uu&>w8*miT|lPGWa@xk=fR0!OG{G z`ci>pEwRz%*9Kr7f4CGI))sX+Blq;88ukD)2lhK$$>~6qIOysp$73U7Vs`A>C0M+r zP%ZD{;|~{RUR1wIh##^Wl3m;JFaAn;INsloopfA<-N?JGm@+Z@fZ564eUF)KY^{Eu z8abQj*v$_p3POi&u+~|QfCK-4maPkhCw57@eJ|_HTB$3hO!p8i_;&lzXIEQWuay>> zeA`5$#Rwo($~FFLyGzIa=XrdNnr2oP{AKEkl?(=sGkK=&A8NS!B>M2s^+5Lj+A_AX z-GE0$1VC|=tgwgs-w*j;kc!|pup&u`fBu0Xj)HE301;6cCjnS(^?QpRa+K+Qif=lm zbspI)2Q6ZvX|j!NMv(O8>T9qrg56t;23ap(x+E~n@DD=XfX}M1+Cb2s=w(q90Rji; z`aei{5wjayzPvOAoWt^fyc%e_gun>1W9_8kZ``;+OiWz6yWYfHmeTgu zD-j_iW+Uu7e#!~H7(ackct^s|3Kiiy5)obR<-&{LXIh$omhp2<>Ho_|MMjR2}qoX=*@;9#2@~D-sE8UuljXj Y;UVeML325jgpW}>rlpjraNhU-03gG^{{R30 literal 208206 zcmeFZbyU@Fw=YVEG)U(nMHe6--3`)6gCHQ?-M#1rrID2GmR3*@q#L9`LXeP>ywCF8 z`*-f%=l$o5d&fBAj&mJDU2A=7KC|a%&gUDYrXq*)fZ_oH0s@YLytD=a0+uTR0?Jbi zB=Cz*s52w@57AXaP7AmQsj>WY_b` z<%asqx4n4jLE}`}gOTkI3Gb>6cD0*+m0eW%mS5dp2g2|rF(Ci_pDENFrvLsM{JbKE z9q9jbGW>wMlqKfBJ5WX`sQ5qM9$!*^X-x0mJQrVbFMNdX-yP84b4&eqlqR<2H~c$F zVN*E&-(Nypd^VGW#Z)7K8kVf{pC-9_6$) zce(aTX>+D})0J$~bZq%FUwPI4>6fTUSt?Ba|2+F&QknmsXaDPFrdCL5iK!OHHBk2O ze}jYgA8w~EX|a;w--m*6;{O9Z`2W5jBuhGyY<#m$+I@Fcv*NW8$G775+Y{Ddy1H`L z(tXR;*259_M{$}dlKms;Y1YaOnlZ`S=#G%p6`Hi&S>r(JG`nf00Yw}$?vuxbpDk)S z&olQ3H{YX0M_^GACv?=yr(aYU-#&N8JgM*POYInpT!(x!Grf-Pfqz+Dc^7r?1eM6( zB$~m5hRA?)HNf)g%H4U(z`(%i>FNIdzQ@5r6U*i_10NqB0|Ns)`^eBx%%>75{E+KE zf0!5CU!ZPBq?`S5UP_%QJPdTeZLb91w@5^A_V6^H=tb~);})aE{v%7%=D zwCuHk^RJs37#pu#UV1S%Z@xvH$01ytnwpA?jBHu*?oP2b@%)DJ~us`jErocZ>FquQtu=}>;`e| zWdttu$;ru)e@RhMquo4LaH0ug8El+Le`ctmBg`_l zuy}49nUHY*JNLd)5Ys#Aa@a9|2p>N&D=S9PKt%;IXZ!i_Sr<)+t@q?N?;Rm@5fg6d3ps1 zIjSnfDXU=<=pGjR?IGYf0YOrFx~{J7T(NT2 z%KhC%c|~GcNca8iA+?Z)^bs{FDJcobkHf=+AtIpF4?+TcZ+-)HgJ35bOrWBoI(FYS z?>*jpzdFpf@@-&XXX3r0h6W+Ky@Z5B>o-m~8!kuXGDBaZv#J7BX!AIrASQm__P|@O z=OV_D1W~wa>&I{wpY05`j^G)s_&^2B+;p+td; zx~)89Z=Sm6c3_EVxw#2Fs_w)m8b@C!9gE(-S1?^HkilYX78Ml*YE==%*!=P1#~rL4 zQu#nrGczq62<~T*kz}#kUDe2=2M-<`p>o$U^d%=ICVu~JSW43tzW20``sO69yH5tg zSXx#VtzPZy3|~@7o#GSMF126J&-ZI^{v$QSQwxPhL~!$hi-Dy8o0K@cy9m73aVIl% z0@e}t=FLOD5==}?Dg&lILSQ4nb_)s$NZ9m`5NpyxXN`Q>o<7B2v9_?V5El=+D#nBq z_wfRaR7_*9GHAJ5It(be!sg_^|C4(kRmsc2!9hh!b{PEZKE>VK9tIxHH(2`k2(nA=#Xw-`$ET;*SXfd{Gl2ibw|hF}i}<}K?JKv{ zFWWu5y}f}%_k@^Xy7>6`bR78b6?;zGN1FWk%n?99OdR&KMka=&<62hUKJku`iRo-_ zIwnD|gX-q2Ch%an(^pnD9O&LvJSN0~&JCCYxTms$!dhvsVo#Q17i%~AM+tPvJ(MW> zc8>!foJ+#>v{2wp*4IsoT9oWC%i>yEJb?pJR8&k_D;Jfbf>CBOwFaI2oaGP}HuUd= zCFLA|XK)NUTI9=dS~F zjpX#cJ(~qyb`h}0VmPzRF%8@%Jw5&I_WJjM8wVoLJ#%w&u+qH>CfF1`9i6z5GgxEc zU*{*{d#?2S`MTo@z6R~`^78KPZdh2Dk{xwSMGjN<?k!fk9Dx&CmnAT*cZ*FdGVq>ulziVwn&^FV$Z_L%z)q$0fWf4p~J;4_< zPIa(y`uJQ$g&hh#JwMl8c>*b72iN#q{Gui!D;31!WCrGY-hS9MB%v)yffi+NWMq`Z zYo9(xkqOikhttTyf|qd5NYG8c)xV*Gf-ai+Xi1roy85z;e0jdLJ%EiUdN0P~7JJaH5 z9N$2ZnaXD1@$0*ue<3(?cPwAZ$ER&ixG(5t^!{cvPa^bk@)|ZLX=rGupzsw$CEMx1 zNJNR)wA9q%E_F%yTi~ZJb|?F1XLa0ZOvQmaYIoZ$fFB73HqFb;{Q~|ooP2C*!A9@j zKlUhr(x@saDOp?Z0{bYt!mFdy5mJQPv)fKymnyhWT29XMaQUS>&AQ~^;2{5|cqE&b zw|9OwEFuC(13U6YDgR0q6M~bRo&CMZRtL_}T;0Yk9J0XMF2F(4cTjg8NMqQRwbb@sD=<(|Gz7AWcQulB=oz)X30d5m6R zNjuBAS`)WavdoX6=oN>__$Tx}r#neN#&9j}^f|McE`R%%oQV!^SLWvMVi1uFW#crA zSs)iD*bc_@Ox?gQeI7edPC=0EPdxgM52ixkVblN$ zsssPT;sRvm*#kjEDlG6}hg4AUJ8A^g|2Q-Uj>|>>7>EL(P=7zzfp3LygsEA|GHM(E zK8dmtmQiMKGOB$w5&54(_>1`seLDbMk}u5r*N1;kmopR)SYW&Zbta{9q5FsA ze<-zn_}@wXFLcF+0Rm6K0)B-^;llno^be(RA^(l!|4LUKATTljQ2NqoAo!m{|4>?_ z{@+>oU+Cf|0jwP7a7%5)!WF>(=g@y)?q4qdd%F510V}V-0z5xL&?WyN`M)q1&gFkk z*ShZiGocSX*@GS*ooM7@jB~7`fTEID0;9-p3QgKGgENJgE*uLzQIY($_Zax5c+9LCJeePlo#b&c38qasQy ztt2%*_RZ%McaXkIA5=@&p#r)V<{LrfcZ0mXNPKG8Dp;r!*qx}Rr5I@hSDV&Zy^uMm zut3%CMsM#83)mMHA1|*`a@Y_@){Ak#rHFp6 z-^|&k^Wt{Syr2I(|7*S_ySkB{*lr9ZVD3m2K>_@3!= zg^ps4G3|GAGi@h%ivBMeliw61*H0VAi)n~npA?!H)9#)x*XNO_+t5JTU_hHUWGxlE zOl=ZSE5ZZ)-L$uEog+9>tCrKhe`wE?i)8=Hzj3|wgT=~?bZg|UIiA~_sxnJQ>>EFw z2+kLNNJvxvw`UcNECC{){>qAREvLm>Ikvy>rVa1wtMLBIYpS6qYtZA9Gv!|zh8M*dgJ7o+MwjC^^wPVtx&#gu=l?-Ajbk}yfD!X40eu1$QxtTB(dO9{%0k@5}> zt}w3c!Hp!L?kDL_h3d6Z_2cn#fY%szj%nyyY|+zC5baD2;63~14txD$Zl6`M=^d61 zi|1|>>Qn)22NN!DgKVaEMn;_W3-0fD15djq0i{{J9hTheOWvMKv-8MuXfm=DGMMA! za8+#KR}3jMbB&0lzWiLBL45HoS|?>Le!;c=)yenLnRy!lNjEe&pV{DQx-#X^8J*@Q zyft+(U@3E)xTYfNUgh;wu1to>&naYw=s%uLV`Ma53St0U$X%n^hKPkRnm!UF=C0+zhr&}WIE;!XzO*R)=;{x ze%~KTsNBRg2T~vRRXt1ZuKy8%CGw{?OxhT(V21n9vOj;aYL7bVCL`>HxNbk$Kl#A@ z){>~JYVTrqrZ1#g^v0R0KnxxZ*gZgok6z?{xD zJ6|z2i*xSBpZ`+Yn(s49TX}iy?qZ@UxEF~FG_bsgCwg!ey8c0ZfniY*DA zo#Js&RlW`RT%6N6e&0~T{ru`WEW8YdU|ky?F4@Uljw0n%MsuIqZdPxkI$}Dse(Sn% z+W+`_Y1x1zWqM|)U(P-XzXe3*ap$-OMmk~o2DjDrpPqEz>v?$FuiW-Be)@|oWY2WA zII2Z1;6ofhC@S2bu#EEL?!NT!273I?sd3_j?ITVadD<`RMUPhC0*5yYPI#%tG2ynB z#;+*+iRgt;e3q!`cHI}o=7cZ)u65TpZ|ml%JN*2nQ!$*Mz|WiIS45KR1>|2CUpH+X zw(%O;5H2?GT?N)Nby{W^%eyu~B)|Xl&^&*wa_&1W#@rX$vh)|XNDMjJ7O5-bUAK$4 zg(cz4jGT2$g25w%{U;z46f`WPR^7Sme{?3W+tufd$#DtHw0 z(*6qPeMI^WB3v^Xa+r)nyAEVkC_0=E-%N_>mSwP^3JTo(ER=Cg8zKfYvd7_#ls0F7o=XdiUrN&e4}&cM$is&^9dz+UYUpUIna% ziwGdgan&*T1i=|{0;C}s(UpJB1zT5$~yBe?}f}OcpG=czHu;W{&Tx`4Sl`64E0*t zAB*ODyF~>r_OJquexibBn=ImPt7cOt?G@1ef)uI1$y9MqMUj^NflV=eQ8>&!bf_Pr z%P<6Ue9}I8{q%#PDu;1bVSFp_`1cFn2@z1q zCo;_L*occGoNpZ*R293UJsVaSoN2Z!@bJm{v@0m6toG#en5x!glF0Twd2#Yj4e;O15rJG|KMHfPw#A0 zuh0n6ta5@Hs2@Ju+}e6?@e|oFf9&awf+7(oCuh?J6EyVPc8JcTlDqhmM`BP#RBouA zxHA94zLx-@P}Ao*c>Py@oKn4feC3Lo_c-r+$FEgJ%iVNMh1RTOae^<(@A9_TV{&4VMlgvCq&65WqY{k8O#^1@d5l$r zwRvVoN-l=YwLf>N`>MKUH1SuO*GG)F^j_f;OY#vM={ZK(Z;#}Rhf%w48~@r6Frz{& zd&V^gAQ7GeQFta8?wRWK=d$tfFN3y|7|a!IJ?m7d!Jz$=TrsWO0= zXb_26hGFuox%m0}^V!Wg{rdg^l)9G`WTm4EO|~)7(Nm2Z14BbkI5;BeORYtKUuk!` zOq3GWjTw2dLVL5dJfB9Z9~FCRu5wlgbe?qhmJT}pq1$rp5ebJ;2f(gLW2-<){4Jex zqhVC^=Tuor`2;yYPt}@lZv1!-_$@}?`LBHntF3*?bD#tl1}>cPt7dje&1RpCq79wO z(?N*&O;YsolbQD(Pt>m``8N6!KTj(bczk9j}A>6)2Nmc*f7tw>CnEmyo{iAwpV1-gI5m$uUw{p(GagbIE=2_m|P9 zeL{N^latCCB|+={H^=>0r0o04o$V?Pz4_#0_|NRF&kx#_>_9<1Q>kauj0xrTIkjpu zHn0Hb+)x_F=-{A+V)~z*!UO;(7c&QpM9>E48k;(>w0js< zEP+>4zW!Jfj-}~#d0q$)h3_h3o__VHZ)ku(fBzVMFc^!xb=XWRX??b9!p%%60+$Y&hcYk{C&at3_?xWphA4;urBm4>oV%K5=! zOzFaXYe+%@UIEt*@tue!G3Pi4;i15I72GU5KyD~vzd~aJp*HGjv--t%+5X&rECvy&K3WQm(tR(%w{}85$AOOt5fyKcm@uR znt}q;zDNR_1%G&Dg}o0F^Yf^$4lCwA*6YwmhRXt8Gil*M=Pu`@NZUq?LYBOJc27Tg znq2%^nyoR`ArjjjeES3dkXl6S{fmpf=lk;jnVU%N1$Z^^Z65n`>deOSv(+zYMg90q zKA`|5IuiS{Ki|OmqWC{GbTu*5SpIkH^5OaIPKEV$K(_BN=V<{G*;RFBrJKR#DUCbF}*Loro_! zYB0c5{jLvM#(Fw^FX$`kUS`rWFdQqtFDfdvMo)VCw#ohHOxcT)a%;JM0TSBAc-U+Ew2=uiOSRes-o+Devmc@TT5n>p4c(!NsZF_7F$+ z&2CAqA-9h`9OUT-nH2|ZZtM4W8COv<&z+DLM2iAxv~dDX)kCpi<9hZYXE}2K%Or`i zcW|iA^q@$jC@S>?&dukn{8j@&?@RHorS_6V%1|6NHMP|vIa(gL?}>L$eU_kV$LF`6 zIETRqyZZQEK1WI_tj{ zvI|Y(8z)xD60=)OA}0;3*LcM87DT$b_D{Q5H<=N8ydOlIRuKrF@*KNX8+YSYsT2L8 z6BHB#?LO1TDVKcwfp;ATne-ITyiZ;OYXE3Vle7HluiY)`tjYXCxvYMF*NklRJp5)ey}B}wuA2~$u(WrNiV^tLEkV%AYd z@GIg|pvp>nl;f9OPiuP}6;P1(4L+>x7sSg2nqnacd^AW@M6hRSDge6k49KLyA1g71hKonKHM!eQFaaAGO8p^ z$L(i!{WN7ijqqVX-}&`6QFr^zueJkF3Hhklg@HCmg-(sbV)Fs$hJf&6AL0~8BSLXY zky%!J)(?7n1d;k(9;bx~q9Ln78wXk7zRVl=mY8i$;$AWA+@!eoS39wao|Q#k70kbU z&JA}E`EEVvI~)>1O?ktg$kBC)^g$Q2UZxu-XtXY!;ly^iJwcg)O6uoqlHr7hY8^td`~;IBI4DtdV#u{a9MVz2DL)#U4@8 z)=vG=8T1`AW1uDI$Gf&lhQqj>(X&UGSnWP*94_6iOw z)MIlX2_!wZ6wlN$00DxDlfsKXkdjyVZUkqcBjTK<1KploDvQ4FX|2t(cK< zdE^(vP9Nf=$IUh6-{>A@3%LFOd7e(SVOd$K$Os{o;`8SZMzB3>$n_0EVo+a`46RNS z-tO?^FcqoK9YUkz?We6zzULd@e)#sHfVgM^U|Bx_7zvBdp}vb3JQX^1D{8S>c=#fU zUPex?;xV_p9TWQ}ByHF6wEkFfWS*UwszuKg|A;Ym&{G|5fCoA$;W}p?do;=jVbks& z)NWj4=g@^$#!cwP6%`fv)~O#p0I9;9CcM~E8$NNRO#i|I0DWfc?FeD_50ej}{co!N zxLk!TYDaH|a20u-Q$~D3&oA3PxOP7j-gREE;?N1&OYYJGb@Nlt@+mYS+77r z+rN{BlcpJ)0%KD)fhLX`hg$Gqw9omz-T|);QBbA-?_oZ%o1@;#i~Y31+JOaA`B_u>yNz-t|t zEZwck~e? zhv%8PZEmdVWO}F{SAr0c=^lXW@gwx+bJ4f@alMdt31cQ8SFcCS!_fo{L-+l;V^EW% zygdB=!4(t|`q&Xg1XTwU?}vO3J0oUhNQ%+Ku`fWXNuNyd|qifApA*ZTe~nOkIgsjnT2yiofO#yt@HSVJXWoCJ+wGm#}Pm z^g=`pbagSRdeG|VO?ft}=W4W!-|;!pG((4=2F*&ahn$J}pHMVWy&3u*kkW>Bll#4S3&0h z0`m7W_~Fj_^3Ug@!*YPun=(nWKf%E2r|#11uu^u@uD(Ua}_fdPz2Cj0|B1F2=E zB^(h&Bu2MwFmPdgOE7C&^hp0TYOrKYnx4C$B0_VNlf027Jr5`^F?woIgCcS5t!AsK z&tn*ga+4w@*@5cDj$&xm%9T#mn)LEIe1CM1w2GclWH&5ZE6iKkB(ctk@)BbapUWf* z{~1-;78zzA&N10Th4_cjaWP0Ul75e{#JR_(u5M^SRf$JqN8Yejx&Gaz;6Wn7XeN(h z%si+~g7a|Cv_}ZD0|zMBRl#(F#s(5R_+FwnvwX9Cm%d;=v;G%hXtjhd*R@6@$LGgY z`_JZ<$GeAHmWK%&jLggh_v_iQR00}p9j6zywYAoh#rYTccm*zC1`bTOO{38yJ}riDu_(pmYi*^hRlVQA{fJemZ2my0{J2x=?$5)vL zg0&XI6kuW|Sr@InLWE=jVNR55eQ@wOTSGI-W7r$2aRv%C%P|a|FKs}+)7X>BuBor& z_(>jppu$q2Tj$&Pu$9PG?-C{E?6Ua~vYes^By0CT?G5y2ZT%ml1-v!^x%MZho9wqRmqBQd`?$iB$B*f3b+IKa-=><9?i8geQ0aos zb25|S5#klvTTr)A^%1rASPlo1($b1qj!^A9ZBBT((R;c(NoiXy#U9(Kn$54SoR#RM zO8GQAoFRMY>sJXSRG#q4H8O&O$e#7Rps>TGb{5rNrndE_z@nc8fHYA%u7#pzcz9Tb zPRI3&GAV_f;V%(=0Y!X>S&3EAH}}VIIMx@WuFImw2SR5?bq?#EY1@X*D|u398^>~k zilUc{%hN9z<3I_XT##W6#(^x9VOKNOe|CT!t5SYw~I%t4*@GkuN-%DXuPQF&$+1OE5Lt~496+<3OoYVu0R`B;9A*_5PM&)|4sZeJQ zroO&q@u^NBEcO@6#*#ryHjmbN36{Ti`jTd%VScWL@RvqlFg$!X|4{`Z6e&(|T{;Kq zuG;y60{TA3xi@`|pcv`*7?a;T88fgN0EmJTVZA78*_V%I-Wvq%0VebuC}?Ps?D+W^ zjkV$6Fc?|_pc?2ZBJmgKvweUf zjTw^a(nv6B3;SI@T?kK9-?K-QgT2C_bqWHoQ^fgN&(?MY#6-SiyrWPqA(|dbO|UZL z5-*q1DU~io4k^JEX*k(}p;@W}gP7`OQHH3vJrEU-K>G_`PTCy2aAGVqUjs%nASK49WKWB*u}VQ zqJMsSj;R0D>c>!wbOceu4li{F7|7WD?*42?z6A4OsNTVDdHvRWs}xSDZ{ECt;~)5? zoMvBM$wV4>dkdKIpy<{kTwR0k;P!Kdt%@TMpf6T5rzSU-$Mvy6Pq#o>iGgBH%$NcK zfsK)wI4z8kMl68p7(ElEsufICQj~S_QzJ5+2kg()DQEGTkl*|kA9Y;ms$vDTponvU z8f$Wl&%ull@(3Y{{XkuQ55K!h5&s_ya)NtnysF}&BDz;qm6h3?W@yc^jwmTr%H7vy zyU>q3s1kdik{k;XRBg|J1HAjrsh7-*Er0w*AL`uRDEFH0eHJ>7ne8T8c-YX*q=x6F zq>wRYGM)v1R04InJBeDvG6_!ukdDAGj$qtQPl6%E z*S5S!pL;Bt5Ebnnq>Q;zbt!m-OKQdh=@W*F}BCZA)**!jg_^*lp1Pm($Jj+m(Us@uE=7Gk?g1g2C7fc zN1@pL^qG=}vYTkmLF!dqQ!XDbtv3 z0`-hAL3tel2S}s1X-os`&F_IEh8>?oI_aRDi()o;YOCJY9nl$D!@`~p_f zIYORv?{fW4FsrdNR)XN8eb4n{9_dpgn0@5sEK7aL3OOZW(H?s3ys*WJ0nB}b@*&|* z;K+4`LUR7ja?pTQs;1%3CLxyg4eIQsq0?wz1zNvjmGsVw_ba}KBBw7<#4v;t=L+r% zX!8s6yBU5-Dupda)Z);G>(xIPfmlFRB}PAg2gr`K)GQ9aV&b3)@Tk>Ly?PW|iO1tf z<{IlnkJxx4d(fP*q|t`xc4bRLaS9TKWKl47LEcIbX)3dig$R+>9kykhL(;^u_6^xx z@)~%P?=B-FW78Z38XH9gV^50a5`_$roYIevkJC}9zm$b4Nwkl7Q9VS`Y@}+)a{(FY zCw)+>Ky03pDoWNhNm$t-UQ51Ldcf~QJSMv~5G~KQy^Qc?^YM_xgN8-T0x>U@{cfj`b+c)XltC7AA@85|9 zU=o_4PUcZq2cb=nLzn{wu_Q@USlxrG6M+1TdnegTAdcbG71&jYT4MHO$a%!-qIz>O zLm1@W!y&2zGc1gw$B!RxlFal3Bi9*2y>GAF<;ex>v9%>_@RR8AKdX#0KEtzbe#XA| z34}F9O5(K~Q1Wf!a%JV@9PI95hRI1s=aFU-4^m4Fes7b*_p$=E1J z8rM1w<{RXGZLF<_q=dg&ga+ZV65s{Bnes$dbWNqJUTAZF z;)ZS@CHvSQDAtsOnE(U8OqBCHjD!t|FC-G^B3;n&)gOA`IQJo0WmTFpxKQHK(%DDy zC$X8m;3uKt(j_ll|x{fg4}qS_KD|WbLRVC_P|I&MvhGU8orC*}9dFMv~{|bfxQBQ9!eQRc!CLq>1x@uYp6zZVh{?90*Kye|YS)^-o&i<9cSgRLmbtL1ACyS;u|#RGQ}~aa3`nV|R@>ZvCZ0?7FsX!-dF)MLUU$0fCSy>* zsL3xfxGljTFN748s);wTP(abCnIMi<#OEPxW1$m&D?7-0tk4$MpqN?LCdB|70FzlB z>+i3Z;%~=XE|_Y(e=gTu8{dL4?cfmqtKAYX&y3NM=ZjDOx@pH5Y(NO2l5lcybxj)l zs``{JL((&x%0vNP&^=P1z!)ps9?ix3lbrwDO>47CP4m=L4?$e9uKy~Vi9R2oDj{BA zB*1J#4efLXgcZnP?-v3jlWv6kSrE69ZuM|tcw^&62pEUJ?!=ow(;faYOq>eux~v)S|t0ma&O z5JDyKKmf|Km{b8f$_vdB8v0m1Xr1gXa_v0rt%|ar|C&{Wr}@WG;M$|Ivl|~WLRd;J zi7Jh|qn${4s(h+eq)GS!az5AL&D~aljZfe8=`qHHlK(7vbkS0`O^+Uz|CO7xc_MBS zv=pTagVBFX3TC8>K*0Zo1QA=Gz78k#;ckOlYMwXf9)vFp?1(!#J*7x!qI*~`UKr$O z@)BkBL*Ck`oP8)yE|e$4YV-&EQ6FNOX*TV?yHMx&xUB5jK4R z8nqLexIST2oVga)H00Ox{t@}u+35GjrSIhlcE^F; zVl$2{ghnc>jyh8K87}XiB&v_0~=Eiom()* zo)~LJTp8*5q`qcJv9FsxoMo%q7CUHj~Zp)c=`PpbCkI$?*cn}4R~Te=0eA6a5f=(`D&1+T-= zYj5Zk%~jS|yQkw$$ms!SFqsg$=}alw6`8~|pj3!^j!j>m{j_XC-2pg*CxKc4PVo|& z_$q)$BVI}w)&|A$`JH@a(YLjib4|qnAlBTQ^G{4qomR!=vv_fXd+&j{gD3%!$}f-r zaF-MAxMYQIUs6&MfP|4@24CKS9W9Gs9a91>%p-(`Do#GmKOpuCR*8$jgY6S~Ax{$X zisOQ8>IxU_(i%2H-Pt(ARLi`Q4UStk*E@H0-nH_JW~tw{o-W!(`94N!$q7W~;`zxi z%_Ss$8iXZ=gu!z=BJ}z5=R^WGlko=#ALc+DXT(56Ur&y}qkSjfiWaPB&n*Z1&2Fsx zB2*`MfzCgS|J7k>M6!4>G?!57N7Nmbf2~_8HjOaZu+$?~!iYHFwl}}TQCcNHUop(# zZlcng%`-+$fG*iM_E-1MdiBTA*VL>~c`IrgHc2;MJI~>AHHZIr6|cbv34E*?D!qm*Bk2J07i$qne=nHyPr4 ziYY;EkmL~#(z0lY43~R-|1)u0_ZANysuz{~VraiYRqkDTPF>AoyK5QZEP(+%(=r** z!c}9lqDZD?@>EIA1QTAA6f3V*nqCiRIzQy!W>LxRq51j77W8jYjt}5% z&fS)ulj_I4vY_6?sOA|dHF*@V5a1C_LHUS%b=h;wf^ z&Hy|P_sODv*1&WE!8%x0SL4j~n zXleMzbFg^@4Tl0Yfd2`19#$mZ6*X+s>XhHnVMx@ousY^M11juS90MA4o;SG_k0z$l#019G9tn zws+sR%kTM8=&(w7AA1Xpr%x~B2Y_`CKu50CX7)om_gF)NbQxMxwZy(#Dx+a*4I1?z zZESVx;Z>i<)Sq0g3$3ujr!395E~%AGA|o+ix^Re~b$TZU6Xt=B2&30UNDk8) zJG5bG2AO9q*=zjZY+gxBwRzA!fOda7RZ&LC#-9ewTLTB8EYRv4AuMW46opw5F4Ea$ z@z|1Vnx5{AYsb~0GA4{EDJK$$Na`n9uP44oGmWvrr-&SQVe>5U)MN&*W2^ZcF~%m{ zopwK#2yAc-y4C;~k?rwJL#Pq7QK7YtE20@Ft-5*SHlN0KCiMz5L-j3@hxc7mr4RYT zo^o`qJ6{jVA+yuh`P(o(S7CGQ4itTVVzS0J&DlPfrC@4sT9frsSt^@pXFQV>C+8>8 zWDQZCZ}fLWm@J6mLS9F7B#+qHWlI);FKQfr{N83xkAC!E=m@4|iZw2N>T-ExLSUpx zZ!WcNK`uLJ$yWDv(SP9Xb#)w_Qd{7CS87HG$T=GyaIvQl_Bkwf=rKzGMTZDse4+Dc zW;t>F@$I92Bn_KRRCIKk_itut;T}KoNIFF{bcos(?*` z?N|$?MMY`yNaiJ*0^jpRB$BRKom^>@nD|bBfWAn)BAcSAL+bG7RORsY zg!Z&{HQ11i_O(_R8lr}slIWFT9))eeU>CL{6AEDwxlNLyCgkIRUhhZ&L{lXwINDGfiJ zEK#McECm3&!QpZzB_htr9Ii#z&50t0q?uzCJHQh%^54Ig?HRY;c(4wY_`=?RLdBoS zSa_zZWORoTCLwCKdsI5A7n1Vgnu<65Qn@Zg}B(|IV zhS7k_HT0tORGkMA3}7nxTw)vIlAr${ud4aUzweo9Rj1b;E%*6t0<*Sgtp*Fr+bGgs zo75jDx_>73Tg1$LlNcc!%5_ckH5y}Q@?hq*Uw{p&irqfMq7#vNi!dZl^D# zDTir}^=^0?wv&beC=1q;cVpaUc0&i#|0ScIay`;YYY0K1E8JCW!w0 zvtGzUYEH_LEQ1O4LVm?JM(O|gY904yJMX}_fz9*jhM6tAn8&m@?QWj&iVnTQr9N{T za~HeUN~5(l(c5&EQCqfO#&Pm3fPGzqS;jZZRfd>Vp&bC%CBUMyl?sonZgW^_1G9Fz zqM0kT4V&LGxb=lG?Io;QUVTJ5-GX;#9}_qqtaKY+1pqujQ&JZ{3qGj{;s!=UEr+66 z-2vFIO~((wy-#2hc3mOp^bb^tXY`S)4NW7p%L+Ad5*Jm(xu=S^Ks@=^v^kByOiI2Z z|Mq39Ysl!ykC6q#RwqOj+UJp_WNGDs+=l1{u9i^~SpU3BNToNxGV0C47p99fH^H`q z25%%v94%E& z7AjOD%^Zozw1onoP`N1>P5F|aoFV$H-J1p!f^kqRK;x*9GUM<|J^Yd9z?=w)qksMUw76`s6Dg6=z zd`{Ot$K;FQM}t;~q!YlF%Pbbd$(-2C^idKcXBxTHK-#z=)8`Au^S~PElUf@4L8(ya zjsK*=a?Z&CqRrnzKtO;`gi@Wx{<250$}BZLl#o=7M|4Kg zw&s3Y0Fq2^Yzt%oDIN<|ptC!Hag0h{Ly^hf_i@Rsf-2^@>2yPEbpK0s5i-3qtJKNm zQh|$whH=tg52?B)O#5XV>#l6zt1-Oe8RZanlu3jAc=Y~hu-n5ArEXt#c6N?8`U_Ve zoi{V5LRXnl0QCF{MtH_>2nI{7xlOx+PF`U}egUn=3X60Jgb3oM{4jv!Q1UtaUrc>> zJk|aCKQglpiOh~YGP3t3TatCGa#FS;qloNTwj+CntelKeNjRd&$T}#pWmF^?so!T#-mmxdy5{rwypStU0`xdZ+c5O5e|lj}qRbA(K5a+)x1PHaPAM6=JO}wTDX@!eyN$hYG7D6nDbTrB7g9p0NR7!+m0s?D_ot+60|6 ze;K-)m)2Hz&=JI)SUC84ffv^j-4>isY-W(d%eG&kn7bx9jQIt&Z zZ&Og)Ady7bY@`8zJS0pU^-C=A*27TB+r4Q+L7ZSfIkbhU^70-dW^bf)D_s=RHL5?J z6ID9sU9I_;ZB10OikhrJWtODGq=&a(T5aB)CrzlK=C#4=7Oh+u>JNHauE_vtLE%XK zZTJSbSY5`c4x?Xs3W`|H;7#ueUTa>Dql~wR0;ML!{q2hOH|CZTDNnp0WkZ9Cfsl?Y z{CpKa0Bp^Hb9KKhiNQTzxhJx$a_5vt>~HE%mlC_(m5q=B&^Ci!Ohhz8kk`j&7X)Mn z85dg2Ol7@}K|P%kiVlQKxH5ZDQB&@?q)NzsV~%%O1F6xR%J@#J=Cd24uPx7gRoz(~ zHG03RI42se08^$H&z?OqeTq#7?o;@YlAYH>{{t;2PeJ}RT%(Ru2EdUTn*=LTF`2eycS=s6V6p#3EBZ(X$ z%kbu+@%e`Bpz3Zu5KrJXgHB~C9?S}x2%qANf$E*z$}hEfW@RAdg6cb$B6_7(@O%OC znB|nxol|yib}sO`$MEV_7p*=?;HSkk60JtXjB;sbey72DLv(J5cY!|Ym?q;@MkG-v zF!~o&&np>iCll2A))>DJ%p+Y4ObqIRCd+?2`Rqk*_8WV;jPo@=ZJ>9gn+TX5Hr#}~ zkD=n#=PzI4U(&u6SFs*Wx8UbIFBZE+p{CD-l1!x8&O`r$AkH(z<~ zzMmgxe(@rMOOXo?TeDVhKDk8^babHRj0?p{b91Mv7+WbfX-ma_^~%1>(`{sIjAKSz z<>}X!iF^l0v=Ye_xh8e$1@2(h>-BfYo^QMyM3Dg2H084PCxj8V(;t}nHgY^6c8OP! zu|FslFKf3Ay7zug%e=xjzQK94%F=Zfas(f(yu;5~Ad~Rn?9t`my-@_IIJztSW0jz8 zkAD95oQEju0>AxoC9e3&(OP-oejkj!ZJeutTNK%(*`>>uk)&Za=D?{Wa?6&|y(0{SQ)NSB7mBQ0qo|Id>TwQk` zEnct-$1{oH-s;ucI68U{s4f!ND-B2ThMck5`TXVPKV=%`d_qUlowB~#e#z8+_d0$2 z;*O>4-~EWDj|M)F@RW9);pe_ed2&H8rFO7@UZdiTTNDy`Pjl|M&-}R-0}BWMkH*2D zrBE39$@|Rd==ebi(VbQq9~XycaDbt|bFB?gEBl_b)Egifkw)ROE&^VSL-cwR_3f=u z$fZZiQ`eU4v{ZQ89~ZuX(fC;)`TmET=CVFZaPomDO@?oC4~a>2m(0Zfba}B5qWu* z__G0m?}nXS;)x!iT73DNkNJ1KLQH5mk3GJ0se*Ji3i(I{JO`bgJJOzzHqZKSy*k?} z>|mMwdhyr`43<`gs!-W)1qmLv>6pQpj%({^C~`61?)i`dpoN2=!a3%qFo@zIi}x}e zO|LsiU!edOGGx&ptJ69Kzd!!y7Qw2{#XK_tQvZAXaQZlMhFRp8)_7z_G2;-+6WcOd z*+=DMTT^!l9gUh75IUkt3?tGG~^QrA&i(Op(_=c^dJ{npvTrJaNhVWhR-lW;@z2?tZ49Q;tk(GPvAForU} zSXID{eP10UwNP@Aaf(~;dfC_Nmokh{1kAEpIARLfV*^u3T zcny6PgTT506v@>v8JL$$tkx+94Fj_ZnY$}$=plPN32Da0o8IF-^ou*h(D*%Jew|n> z`Q*X<&v@)FfH+pxKG0ks4>@6SuI8%nI0pGyC(@_KeSaBgoT+(L)=SHRu0`6y^bLvt z!d%LJpmc|_WR=9A6^BWxUn%OVN;NlKnV|EAz75oInFMWT2 z{4lYw@b=kZ(PRr2jCQQ){^1Qe8oUgobA=S>xGhj0{C zUfQS*LzX^QNKetBoP=a_&AyKeMnCl6bIh*Xafxqnb_g0Qof{IOXblVb+T_AJFw?Id zBzCP^cTKQUH1R|p|1KISzj6&jLebcLD0aXVMNh5Wi<2FLPWblCZF4WDuu!@Sucf5e zh~GB6yclCc!DeycLioU-RORbbUOmLS9(&DPzoG`x{b&<6URII}%G-ayeM2ClaRN$~ zxip&}204qn!0T)=EKo0=M7Gz!AxgIjtz-W`-@si0KyI*`fPdW=G=6ZI72m>;hsaVi z3R@vD8$PGegdg&1cIhcLg|cwro#5?7`h6>vJm0<4%q5xHzE@ji>kIE|B1hGOC7xUQ zBta7t!B_ykx7zJQK|w)@u9bEOaOrgZ=F56ujK`KmHBbH8{&LYZdXe*tXu$6G*+S#C zcgbI0!VSi$VshfGxWhVkuDTNU^3q0zX$&F*G03YCjN%T@nF_CdVu^62--=Kf-g-rl zoqL-u_}H;kBya}!6xa;=o-YJ97M*Za=gHdSuMvdzoW2he<|)yjXODu^0ARLG7Z&^O z-ueDnvo|-4ZBDdZG_M-c(meIMTpzp+!sVgiUD)m$wP$BE854b0#NPFz_=WG|!tE7q_m0XqAbEF8-P~g7lp=^ZcDegs1 zXoo68CXKRY9_Bf{Jq9=-q}os(Kg=!9Rf~4V4mM$r`|4)v7{}?*$pW*v4?xPjcGGQP zpGzNA0+wBhz>ORfaq0(vQs3`=?S zg4p`Bp=_nUdN(ViPi|RU0b+L*D(7ZBDO$B}neQEX&p4c)zPQP3K9 zhnUG-(rvSraPMp(ZjH&dyKUvZ2zk%cs|4d$tCf9Gc#4{Oq_NL%rnEaux9EQmS+p0gW0KME zZRpEH(tR)(q7_@CpgBb(rd1R74#05QhlJVR00z{qN^`Zv`MmRF+!(E}Ox2+6weSEk zSZt81M01o4p>fn+wn!=7e6OBjujaQ^(|zP2jL3-TW!k1rokmPL1>X0?T&Bj;{c#)h zi|kK>3pDfc_C;lmu;I9CrJE-Nj9>F5QCHBFR5iV0Bz-%0zDKs~lpygXRw-|eS2-KT zeruw{JZu^!?8KvJmgb4ge#V<_H@`RyB*d0-X5o_*0+s*vG*xo4up4^je-_o`yO+oC zrOHyL>{HS38#Q8QVrt$K8QmspH!(y}Hz*fGgHHYPAZs?V)w&Yt)RvU!V@9p|klbAt2=kFdr$|Z#?A6{%l?j{nEzt(q(Lqg_sdPzy#1m7(TncVg1dk*sNP`;fy`NYMC$muaBboEhZ zdUx6986;S?d!6Eo^b}Sqek01O0@feD{rU7WLp5`nmaiF%FN|LOH$pRMF*$-*KS~FQ z2~7Wf8!Dr?^E!*Gei*2033nkO>Z@qyEY0VNs(q%<}0Ft6w z>dQVR>G!OGPf3X_-NslTd~t<*gz7`>qo55P$764WlYH7E$b5g9g9hsBQB6l@A~)S7 zZ~v2nDHj|_`#>*o8heGJe;Nj`4tGwUA53l_6&gMJWUN)CpD`mNL9it=IoRQ)a@VV; zawe_6E4v9u7V%$GLDRPLH3{IbR}y*@7sql{qS)Bk6MvL{+SU_@X*{0!fNWDMFRJF` zjLFJVBAxZAZYhoCl>}RArjxIlW#ww1Z)Cpilk5(9LpAqWHS5jf_i=yp2*wW5e`qET0 z4Gvk6%|IXxxzdvcg5hIkYg`Axxu@FMMjY!-GR;?t)?u+82E|nw_PA*#NN`Pc&W=x!c}mY#@y%`jV(KG%G17VSbcbR(^ytlUD?!*WxhZEmQ3 z>tF}x((qV~)qm4F_b_u-Sv&~!C5_+D-Lp&1sJwm5Q^+Oic z!;>R~xz**K4>cy)Ai03%qa97v~1U1(iv8=aI~K(`p41m(SPgjQ4-Ao$`J zrhC@F*(7PuYC1x*Zs$QkK@#$$tip{8@xZe{Xvokg@s`l0YO+%m=aZd) za=pVIFs5|69TYW`X2~=^V0h(AO*H!%a41Ed3MnA+CK}d2OqHqp0BjMGN4Z zvFUu`VFm`H^_C!{h`ZgNhRG`Amh-UNd$#?d)ot{A4o9w2m#}5>bFNmlhU%B7e0q5s zW_|kuk znE-E+Qd-ylYF9j8`l#XB`v|1Qv-%mxd9=tStFgd7V15Ean(VYR#tDh-6UQU(yIL{& zU}`S4IntqS0hg2E3>qB&0PhXm%Q2leW&*RmA?{l7LmQR~whBt6Hi%0cQp{nu(3j>~ zAh_+`(_pD!aB&0jdfmN=qUv)#m=q3_CDW9fD7PFI(o`v!}t3W8}d-+Hp+)xX(@V@q+4d9F{r)0J%o1Zc2AGKs}vJEMZ_Q(yWX`Bpo;(l z^=*gE)0&#~gKurI=I;yDFFEo=Kcm(Z)uA$^6dOH9N%Ua~WDa`TkN13XCbp+c8LGCG z?lCX+1tG)elu*EMKfn!X(r}l>-3P|~RG-ZAu$zgUZN7`gSAAaEkP8|P+rU88^PEhQ z_8a+VqsYb?)|DBQ7TX(x{uh(sl@bqHM5hi=08v~+ARZ2 z^jHaFHcJr4zH$&pn%TAjYoN|uozG>TaVETyQ4l54(ph9T{9 z6+UWBCblQFj#vwvfmBr(sTurO`68*Q=+2QH*8G{Vo*APijg^jX{5qM1WNB zvsBb@M2o5J0B}61L7S#XA3b$2ry5Mo$%oz8*=VxiYnI^fy8$`aA!SaCc$@bpr5=VL z_^5yPj4-09WJMw=oPKtFt3YtJpp%SOIphaJzvzGKgu-$Pl9H*TjL=G9pd&8$ zsE@mZ4bn(N>|G8Au#KOWCp0|~XPomX3l~DO`0;AC)KrWYbe&0lrpK<|^z~KyvwNki zPeDBH)GDOc_XZGW;!c&Q^`??>^YfE6AiikE)$`GDqz@X4iA1g=aazGh!)K15drB5w zohQ_Y$~ZC0!?X^NRfMV{z%~zf3UCZ>b%_r?wFb-gOV_dC1;#jK-I?a(Ij%!SrQl|B zj@)O#?gnz#9Hdp*e*aJamR|&}*}rSPPT%v)>Ase+Z3@9_R_d%b_Pb^5j*Oz{iWwKq z6LDsnH;jpXmSR{uc3iKsPU(rYLS<&W>HlPw0rrjQq^hq=O@?g~FeS{X~Py1g3P%1?V_cTR7tl~|$hW_HMq0hj!(eS@IZx#QN+>dIiotP&` z=Vd}PR=h+ik5tDa=c)@dbJDlPHJ_HQZx>hwF=5;U=El*^}zHpr~G_W8I&Y z6_)i5Mg~p4FK8~#zsmY5%iW&~h4z=twOV6!v{$XSKf$?b=;+`|bQ6n$%y@LprcgO2 zBj~bUK)1v7goq?{JZqYUjvRt5JMl9WV_45OAjRy4i4{%px@a>+Oec~Jx?PADD`K>J zjb0hZF`{Fm_}K!mERaGt8wi866ge65rFXX?;p(u(jxwkjEh&?y+2n|HB;DY6xF6|JKW4x>ISeH&??B6p&EE$}3ok@r( zr#7(qkrHtsWJE92^ju1DWH)xcYet<~D|ruPif~7~*5JJ|77_|!`PvORfF*GeL{V|^ z{frk4YJxBho0X91R|*_j;4%^pIFs!YXD-gR?A>b;8Wo4mgT~FlGrCSl*%d1Ut*F3! zDl`=<^>%>@sK}nCs&n#*`14h$;0Jpx?opc+EO#wghp&;NS^p6}(Bf@^fpyFip?wty6 zi1OziCvv|FRhmg1F?tYU)tq0kC0^kbrGB9esf-Ji+Wc$q{r9Eg9eC5^YFG6MFx!4V zOl6wmpUR7i^M6=!nQ|@F#rM7jO@{Y|Pq}}w%kQFsj$4S$t2>I%bA{OFXtzx^T1Zzq zhf4MMpJ<66U)W*3=49Ym`~11Bl0pOrC7qPHb3LW0v;Sa~<(VF~X8PLKB4*Z}wC`dz zdPww_&4lSWG*%F^8Y?NJfE=)T{+GZHJk)ySyv`g>Yjp`YglZHN6ju!NCDk-^p`zgq zL&*2J*8qf#_f-U+me-&bhk|W%XZyLv3&2FT>GE_HtRqR`?fV4aLYxU&u7?drdoapX z5cZjO8MmtN(1xfx@vKcjT$3N>^EOZDxip$a>$Yb^D+B4SzH9-n-jAw^`{3gffNmZ zWCIYIX#XAow&WtZDo1m3o&z#7YkOuNKYWpB41z^3{Ju))Z@ha7*9CqyVTv=z)QlDC zDr!xurfYnQI4rUsx5L0Z_Z=(Ir**D|Hpbw={iWhZw!h;`F)fgo6?S%Za({L`R`MQr zg6~L@$o7q0;){Jspe7k@kUN?D+)9OGs0niLaq|e)is2omz;W^7;0(~N6~GBqj^;#?X`8g zo)Rz%>mhTv_$PcxbS1>~4Dr(AHK=1p(G<(vd>i=LAaI{p0Fy1r;+5R68%zzzuDG$m zTY2Xcuj85eGZ(+hX_=8W%3q(xWp_&{G{VH$Xza0~(RbFgq%{W9rk5_$ja4U($m@hb z>wB4%!N>8DbjiV-Z3Us9eN*m7(h_1jQY5Q z#6*6qu1;*NTYPPpI1QDSYpf%E(}sCJ zE@43}O;=kJncKIXwPV#$d*P6W%+BbC8?5FLshuYCMthsARfZQ^pjWQBC^Jq8 zXLL*itF%Pod3rA9))SZ=@hu@V6suE0EZ2}X!i+s>Y5&{?LAq23nhv@qXyq0IiA$$_ zcH|hRdh)YWJgI)<&5O39*d)=UXvVT|GcG@VzjLk(%x^vdeh?X*5k+lqI!&T7;iEmo z%!o7m0W1nmokECfgy!^M z0RhmmDgs^f+h%g#JIv+&$AlOQ1Z8U7y0x*~TS8_2IdCPT;`U}+`^Kao9 zI&?*2qH7s%)9QpML_zDTsA)1prIIJ(cm+wU#KCcD>R}RV(Xi%OzC=o1Y!_zng0rha z9kqgxyfZp ztdlic55OSZ+AZxrsMGpclS)F%=FZ>4U#Ss12;AS+6;2H~S%6-TXzP_5XGgr&+HVV^ zi>IL-KiTI1e(sN!DzSrG)W$Glw;TMrbVWReulfoLhz*?k;oNu<+0%>{SEN3G8! zK}(EMW8Ya=mMEVrdkQ3XbdnH6+-MD+DAbC#*;yf?Yntsv$IR&83K9pEY+o{3=x4xa zI>!ExSfz;9c;a$9ow{hbBo^I(7cQeI=ECUR2KzGA4(}Yj+;%x{2yX@qZiy2MLJOScd3&t4PruiwX%A(JEwNLmG(dv(^JqqpKW8Ul zue|RkzrwD@E1BLB$AP4KK(-Mf60kC;*+_=WJNwg)}GueoXD*#h@=UYN&`*Q_neR0zw3nlhE`NktPb_6&6#L~o^ zsAQ&#@X6#KCf^VRP7Q6&>koq+k{lB!{NJucOSpVU_yjT}GP_xI`Nh03UnUwV;uxQ= zMp2zWpbhL()6%3sm%{?hynVdYGBL5nT+VL*RLnF)nw&4D5RtQ|swEXMs8UCei*<>j z$loFx>Gnjoj~m7X$(TR69Cs|j;B9HwI!R_EO@bUxr1k=pR|W_3yLe0IU1F_p2mSdb zW7au0{+>bRvH?8hWK37RQq%h}eu+_vDb?sKdqhN0M=SU_!}e7)U2J^*+`3z>FG#JQ;;c|MGA7KV_DVk_ z#GVjWf8x`4GT!S;JiA-)nZxFZJiJl|Dx#;jrl!xAkG@E|xVyNb^hL3?tq6Mwi=U$y zR@XR!hOYJG^Qbz(0rVJo`>7=WHaG|{uo);(Sprf>rbA3W3bRe@$`T~Ggl26t6TvcU z2kIEgik!X9Wfc|U8gg2b!8ZE6mbe*!RP;rKvyoABwOtHv(-dsVev~ZRkl!rMQxMvi zrCo@}Wb?juam^SDCCWVaJw_}}pp?A0+yEaMbL~#ME@}0ZKpV2|=+DDXHi@c|q=gO7 zCxzJeEu+Inu2)fE3c-(;EARmG4?0f;)41J1i=pmwaYx^X$9U?9l9u@5N1{V zu}sJ0R=b^`J8#CEiT!TJ(eOcUsKU-<8l@A1&v~g^B!}Q%Au6NUqW0I#mF3n_*1e6e z*L=uO;iQMKiHrF-S54cYvTo#^H0yc!;xTfXlx=3aHwm_%*|@lp4&AeeNImh1eI0MO z3v%9ZU(+sgzx@*7(qa@w_ML^gH?-;Tu_57|tBTuU9>ngVO)Mmox3e5vd0CPO%At{= zv!2in=WD)Qjtj_nAHT6{^a~nI%u|)PF>fgGLROABYntSSD-|DeetCR}gt+&n)uO2JbQLU8Fk0^It;}O5m#Eg`2yG%W~I+(<=bE7gQfZb@ahRoc| z{7h35DMiFdEK9HCXApjc7OUIDldG8G%=;Ss#@!<%IdS)^ZK)eoOHwgz4c_expta7t z&gxtL2?7cruVdeJhYZYk?{@nTs4d%l$&U^sV!fYku)^Z14%7!CvoNIt&gW;DG@je# zi;NJNsiY!3i%o^Y#JSr$Nm8WNA*WW?RkEE4Y2APQM)q&^%7ez!!Hpx5#IZ<|56m7+ zX0|od$iVv!4(T4%aVFX?Y(B@?bEH#II)ea=%%T09Xlk0proz)LgI|fi${j*wo?-^w z$gmR&3Ben5mUFE9(N5#Mg%|ITTuHR0)n(!#OA~`e zHp*zxQm2z?PQ8;-DQY$Rg}E{1-#?_mG)*n^w@s+?;JL;JwQ80+51AWecX;M32Kk)3 zs(v7jMch>cVQ6>563~*}Ta-=Sl2;i?K-PCZ9cSFJBKNF)=tj%(BA=hOR5+Jeib{X8 z?3J5ODpDy-%{zP5HX(B2!_hv7R#KCK+Ql6v-X*;FlxlPAW zUOI{U^<-x@8()%+(BWk=hez;?G6s#-!^;B5NovtHf!MHb5%IOf049e9{3BezZWoJS zb65AP>n%^E>ap>)pZe2chBDr-VmNVzxWNJ(Gkfa&aTcL5x{?L&yZKHhqsV$(?)2K6 zQ`07`Hw?+X5~6>ndP6^*DGz~q9nk3Cw1g^-=Q4d%_jMj5z7;T86M$eSc68k9e3B4* zv6{p& zk^Z@*8k>1&TmNYZ4*x$DNiZ?}_R@K6-X7ESwx5wD@)o5*e$Lq;km3ZE`Ru~m^d<_c zc#k99>kot^?YEC+S7|5!C>-i|<#Nq`*012{A03E<$^gbmYrZl%z#mCo5=ktrd0ijYQ*XyG2yOEcy2&bcUl(e_O$40i) z-b%Z)dBe5qkaa0m@Y?80^r6+#pWgPVe)%~Nb^`bi1p_+BVHAMZcXwxFEvv0Y<1hgp|G_g0_z|2*2dKnrbl^K^W3^{tU{DJ*Ck_B{;dq`%~boi{I? zQL6dxS7BeW!MC>@n9NXLHQ#jY>r%clFynUdhrn~A0+XAx9)wSlnv!w@>KE8MxY(Oj zQNC3p0$-HH8=yZ1lC9d$mb;W?+f)uefk8{~GBjBgoXgDWMKQ9nwt&k|iPP!%Ilvekm9k6N)&<;Q&|k#^I&(*7^ouEmD;kaz{U4&%y7@GXSP4K$!?A z`Jq`D)_`;iCyPlnOZH0~!8?AO7nRJqx1~pBd7j+yrSkk%X+)>>i5-i5eD?hhD6Kpi zf@OmiA6WJjKobKitki^*|7b(+jQi457XE*KL>0P?kXJdRk7x$cPx+3#V$med{(D6Ly5-+{EwPk2v0K%Qj3||2SXJustGqaI( z>m&XCV0hA(tintym35z4#~-a(GZW|;qFb!yUwX#ooje3Z-=jJ@-u>hJ7M{a zkXu&a&#GHCzMGDCH9fv&SfC^bn+~qrj?Uv3hL>*Hy0g%H4iL%4`mQf8{!rAtyy609L**ktut#|%qcjQi>(+;NdPbMi>r}4? zZ)%RT9B}Jhzvca6w^`MR>wl-Q2m;1HhketFWu3Do(KZWq2kNz@q z33Z7y&Dd{+6*-JkVUgAwCZ3nXVd~8O?|)ChH`j)$;WO~fZGNZYy?$K3ek(L&sP1g? zKaK!4_9Qg$we9bPRm;vZZ>?R*&OC3%8oYS{zd7~i;IWLuPY^Nf2h?5QEVGM2_3Cn$ zbpd_b&K-{va}aPM+s6{lm2V{?|88 zud2DB|GQvmG8fUx>ytmS1-jU8p!l0FxTNBzx2G>SiCvWg;kSRCUoXo1vY}^_W-QHc zk#=8KtW)>(y$R_RjsHGCprX;Fh5EOfKle`EL{DLV6N}7yFit6J&io$S?%w?(%1t2O zcW2vP}m&RWwBfRaAjU?vtKPuPptN(J} zkP%ZH*PwHJuAxUd@ED!rkKg+xO~+g7L74L&FVWS{h`ZKOo+WM48227J@rGK94J$wB zwUVa4PfV1BQ@~qDAGvT~5uV=&Y}>licst56fsi7O{=ge0cbb0mZvN$ak;{`{p+{#8 zPZuuleqO_92YxdC@h!I7OOBtp`I@t8$Tp(EtN!EeVS^3K0GC&PP^q8x1Kzx$)@XyP z?8;!-QA9YBy@!Z^#AZIF8>lx^@xhD$eThAEu6btKJz3y4InO^<30tbJxfpCMF1J3m zo#{$1Q8X&US*ye=1-I=zmG^Me^W=A@h2>~RFW~@b0ng)PZ62lNWvQzmFwF>Nl{g&u zd&km_`aTd4NbyE3EycaJ8=fCD&I&bJg#W>Ypjqk0;TTKj+bl@{x zj)Kp9zz}&+{IH9yZ8S~Dgrf2yqusyv4*SxxKh1fVng}s%QYBcCX%4hD_okdn1$7c~KuL%&KauNj>r}uTrdHiv|G%Sffx8Mm)hkG1fA@KT)2Jcv3WR+Y zlNT?9=Kg;-1-8t%jSeK%shpm;jJ5;RHgG&rO2=D04Ltw7_NDWlgs&bjIzS=&0AB(M zFPf6HN-CbXqGSKrA^fORT=Vwo47&_ie6BKy7yIXD!wnGuc4S@OHVIL6 z;Po+apg)%(M-r8S)wf^RO)EQYE64qNpf7GzHIy~DMK$fL&DR(LP8@zS_`Yc>mF+`n zuEmP~tQFAW6Xmh&Z{%*R(LMyYKGX0C`d>Mx4~9It6GJl#|FN>8 zq$K>w3^u(_n^U2|5^a}119bc!R{&5+KdIz;TUh7h_8Mx2x)K2_?f#PPe{TTmXI4eu zO3^CayL|zj2#9^11h>Ii$CW^R&r91v>i;{4RR~XZcNX`~vNKKrS{!7mVhT0Tc83xF zC7IAck8j}X+$ITQ7%v#8dFbtr0RWLXqex+sLWumz;ID#9bHS&OVF`AHT{#4nSo3EdL>Q2tJ`hwQwDIrsp z;N{geks$}^r<#?uwd(S>Mn@}>0Lgj#S#j)_))iWnk42f_nZRACdHL*{es1@Gr~k!8 zf&s#sUrK9WtE;GIoN#rDE;+5I@HLAzyQ`v;#LSi z2b|pBcR#|d3(q%*VMAb?@lXJ(DiQB>wY4qW^=ShiELYH~5MVpTlor2HO+-*0`QD#a z);mC5=&WkP^a#Zv}(| zMw9DQm{@jCR;NsKdIQdaPmTKED`tGh$RFntplk%x0#F)(2Wso<_kacxU$WPOurMO~ zPoRJud3P5O0&|@}i}ggM{<9XUGoL^1{c)4?8|P~udj32K8J0O(LM=hTzx(UW0{BF|e!@s1vd#j^>1KKnD@6ua}ViEHPLKgG757&Qc{_C0Js& z=jZboZcpetR93n|#o=Be`MG0rI{4cos;#XfR|li!gsh;JrPh`EhMr!&m3~m;tXU+NS>MNHMAq`-hVy^hMKPta+xv-%O z*e)>5`3loEwfWNrhred7EjoYsQ`%0T@5fS1KVK zGNkw?rmSJX7Dr+@0QX+dm0Q9Ci(I6DO?s7v%>o6hZA%wBV zq0`@1e;C}q_nwUqMnnE+LZ-U^wQfIqt{A>E6^w2EAbBl^<>qH+B|XM!jyA1qrTzP@ z%1nO#n1-xsVhf<n2z&uyF)>iXtc5QCeLrK*OJsz8$T@#Z z9R9w?@5{9rZDEvX}ZKX56AqX-la$LCZ_BG<50V`2bZ_2r%lWU8!)41TiuY%d~4f!OkoEg z>+qKv&PZ9SZzbE`zf)3Dz9vYYXEu;#!kRD}@0e14g{NUA}26;KfNfb$Ode8BWhgE$VkIm>2 zktjtYXG~mKbM)j8rz8jAsDNB+YdLm7}2AlC46LV!gby-8K^h)Hb+mv+d>ml z%yedR=I-Jp`evne6p3b}qihP^ki=tAH2fV5_&+99x00cCj!cV?cfFTF#pbH44B9}- zednPtR@L{=C6X=)1UiaRy5igcHtB?syHn(r1#l=MG=`ZL4Opk@dp0LDD9e{bg+)Yc zTZ8=F-9<7^z41|0(p;L6%@cbm+PI zg4PL+c0*Q>Wh~K6`%aQ7D(cyE^fo@Cpecf^5PN0&LqI7mKQm>*G3PVfQ|ryLrP=uF zp=MRfW-e59EBXh5Ij3N*rDL+HX>R@@j)B*indGW#-jb;1Ynee(HDrQ_uyATu3=L}s zF->XYnbZ0F-tD0-2Dz)thbHl^C(u&Dp!hwKQI#Xe)p7p!h-dN_StB}s3^L{2`}dj4 z^hMGTbg+FB&jU7;LVw@t>$v0`0*bM)mkBze09xiM#A@PRl~};JR%$l4gdPTsjC*$R z#eh{%62j|Ye_CU&Z0IGv5)*bOUAG*_VeR+Q<1Pl0(1$!mOUJ?;YjlKc*3MO$kfD1Dys^wAa&`RE-}edvshpz&!i{Ex<>6_g8bqMIC-Q)|)of zJhB1a_d{4zcWSw!vXYWv3N}G(N+gIfQL$%GqyzUeT4?sVvvb*!D9}kYY(U~gX3uRE zcw4*^ooKuka3I{l*~sj25k^|D)8Mz=azND`mBFw0K9JPSz$YfBrtWXF{x-em@WBb{ znGWH=K|~Pula5#z!IpyHsU<*W?gH~6Zo<&e5D~^rbHarRExj@eQjl??7GE=3e@zGD zwZMLZetq?tq>?;K@UY7H{H($K+meT;s`DpY(;+cikVhP&claUHXl)67jSfXuCbXjc z7{e0nKiq3b(H=x+IFD3bK)ePi7R~Lm)aJqfj^&8x1bHrQBo6K4<73tqevE>ruM-1% zxJ;C}$qBv-R1o?0Tj^iq7C3oLUOceH0@e(;i#SFEhF_f$gK;cX2bnj=pa|+gkK&*9sebPYO*KR@!BsQFT zanA_G2HIaTMy3O8ely&WbVo*!sTmtG`VA*5X}|(s6vRC!r*N7;D_a3Z2@RVJc5O6pR}IK_~5f8xDckXXX>EzH93Mw~&PZj~~K>;TUqu7QuA z|0*ouu%W@0?0i&*NS`g|#g@U$me@)#14UV$x4`_Wvu|PaO(0@y7^`#0&CNYieVO{f zy?gii`uax5@4*c!o_1B7Os+hM7S|MIi#%5%=_elqb`4KPUlmH|*NGw!8-k*!VsRq-TiFt@1NEwb(vXl|UdljmM3?3GX0sfmoKDV&& z^az!2_*!%yEI9())&gZoIHlPW2cZGT-M+KNdjX%j3wMqXC6l`J`x(#w4XZ&J2^1U* z8Mft^fofP|O%QY7YIoS9#2Km@RtHxp@X`?xB&6mDDM}748Jt~;N;X+*u4=HHyIFDz zT3&N723Z4X;_lR=i-MBVrVq}-U{znAviV*YGOm*E4cP?=LZ~R!^~GlFn_l!1f88 zSC5J$_1$7?NH>g)2?BtS>dFLvt0)Xj;4iktM^LhX8u!1phkJ3`=4-@gy2Qt3^ZGZ; z2ZV|Q-S*zO|(y23s8`GHv_YVkSM(59WqZLNeN*J}F2|fgOi7_SH?xj!RVSFw0OfsV0 z38ud24+<31Jy*px&Id-HZlbZzhm9T#+3aG8+eg&a+P6G`mrKKwLyVzhaxnlxL=XAon*>W4csgH@wA4ihN{aHlpN5(b1{E$d*4WZuLU~g5Ov7C zM|}X30&ZtqgEMIK4vMdE^U-xQxek?p%z7zTp}f~*Ms~I$Y|-(Vf5Sbhdlh^kE;dE8 zlBdiUDhvHMWF-Ewx3@Scf+xP-47P2%N@aHkaRSglTe{N^s8{`XbWvE zc5?-3oYz&B)c^u5mRtFQzyPWENGnw-V4ZTay@_j;yP=2%q&#d0J9a9V(jxd%KWL31 zmP{0uBO7E9ho|Ck=12S;Ae$an;dfpM8o7P1TbQ{`LiE1yS};MroVz z|0J3~cGS?EfO79#NBOk}8bUjx)|Wsj(G7@$J;%8H%;{Tl)$gjAYwEa}$Lm8&l2A$z z?2aS?eM0JhcB5&vcVaZT#;wcbdQ1$7PA%qe%R7U?$e+HatRe z0uZbD;4tRIahE4cEl4nhpcD9E9N_JMWOQZVlp`1oaPF6umv5&0ZI%Z6^DOq{8Qr2)qp>E`6F zzGGU+t&)u#q;sdTrR@8m-l4lz zr{)5|*4Lj}YYVh~vmSikIWQf(PawU0bSVrWtS){;@$3~SxBF#fWRUu#b6e7uRqJ~e z-=bWdY;-H-Zw5}HUKKUBu2PNV{~Z`f>AciFov`C(OMa3Pe0u;>^tMroaxRRPECoK? z0G)%kK+!i&961ZTXVx1)Jyz7xEPGAZPqz~p6Zfmx`%}UooiBxeNlw(&qI59p!?{F> zoa{>m5qxYs5Q_;4Dpx_LImVNX-PpwB=jJ8~q=aDWsIxMWra&|KVjhhBVNXcYHY@EL zbY<-KI#dJsYJ%Z=6eBZp%;DT)HxyZOa_jjAXEmGejcE-GWet(9Gg06HFK~G{S1+Fb zUl%tW`X}BYQTe^S%x0he83qpvFb5bQd#f_5c$Qqh_EouHC#Vf_2&O&}jCNQo3W0%D z9U4SUm)lxWT{j;jIZ$~ePS2!7mF3Nz zi1GXzu#?$sWqa)kWcqx?zkNo=u4r}&-WGfqtS}dQjlhI}B_|BUxepthf!_lv8#?RJ zpWjN&pTwcIhV)L;awwSD^^T9T7=eP!DW55r$2L(WpMpl+$7m2X4OCIN6B#kDp*E2G6#Ie23*Vk9FS?)%eYN(gAOIVG-P66Kp==ek z-kz{DoV9x`@H=Jw+MzKUR8ICC7;N6lTO4z8Aa6tH$Jj~(C-|I=Lf}{XK3$|>roIt0 zD^sU|JnIj3{aZFK>u3rLCzpehJ1f-e5SsPN`ks0~i<^@p;mj(o$3FhJFjLznE%TdG zPX}~{bkK@>#FWHJF#tV(5rA&!?9zIF7K(D5FHj&%4Ge}D?R3as8#23cfao;{t-95M z_p=>D{GJc=$t)lmRpWpjFf89^Gzu)V+&UMb`obx&7SRJ`0 zIifd}zD3Jn5yxE_HVNw!9+ug`rxz^ZKzCas1%>0}G2q;a;1B5t8Qwteij$HgpsqXn z>sc-u@zh)fyMRGnz*8dKA|KE-lU=<-eUPwG@q)R`Dbvl^D(*F4;I&?6(?n7bhj}ITbpMUe?TMn_JI)470 zqFEo6ih>4<>muVp_$O$fz$F;c{luKy0TDAySc5o{dcR zp&I#aSv7uI%&g<<%xhZ|!zZmpm@m%FH;oTo3ifq2zE#<5+>8m6AjsHTFbKSchWRv1 zm-Z8_gVZ9~*N?Hmsz6KF`}rx5#OtY+`Gkao)YR6Z`v^z%{s^Reh911(rV&>b9nmyD zrM3H@-2-P9$tvTWV^^z!7EHY!_vBCKp1(8V`Wh_csItW~oXIbghj zp;cL|eCSY1c7^L)qaRI`&6*C2Q*|`x1iXCi`-mRRz;};W+Plj4^9Pr>sBceb{=Qb& z373AT>$Gw}^^c<7x9|ElZOrY?d&f0yQtFxCx}egAw)Rj7SJ1}YSMMz}d9>+xu?9Ih zm4$^x*tF(&7^{cN{QvbWzLDnKYO8t_RxJ&&qixz#AJM$Tz?{YK@& zG&ucdbf=_U->{XRIB3DB=zZqR4#Ep61{tL;AbH*rNep*gxRm9scqKz0{}`J~7_p-@ z`_v=Yc&%2d96EH!%S)zDC_v3pmxvsFmCRj+O9(DWYVF9d#fQY0 zsmN#LT~)-_TZ-45@2=I<)NC(0utvqwco9a}N6g+02iXm0n4DPP=p=C-)UiQw%Hu`NwgapLw8Zv_)%+_LSX z*^pF34X#1V1)mcm)u!a$1_jk=VDFLAXguOgvz+8?2vWD-^`V zcO7^ZSforVJ+)C`;*)Au?@m<;2YkBm(4miM%In`71db?%)hla2QyvhT74?83#{_ObK58#&w#DrhLmI zG_4$U1H&jJ;j$NP5ZB2kvf#Co#Je(44cmYo3AMGofDRAV)x3g35mjk9hG9w4ii&Hs zNY^XOdN@)*M$rym*OqXblQ1Bv6$?*)(99ZC(_y`BKRxhp!gHThB5#xI4#}kNmz;OY zcI|U`Os4{SM%#qi&{L;QMa6T!Bb!L0BMSO9l1)$#N>-s={NO4EZ=kKz;aIY|x@sL^ zIa>9}Ss2NBn?b4Py0B}*vuAOQGm!jnOd`1!O_omb{9NVvd1j%p{_^Q zf2{rSt*8Hxa1?5?zBcX#&iob-POr4U3@w!u&Zbtf7zYG&Z$f<5$jIzNVHctddYdm zr3z+K=$FebO!b~xW^^x=_^gcBZ0drk7DMOS7w)DkkCYB`FC@5`I~u7K#%WL-uZQXSVvX1$g7&aecE)-P30Ga54`SNm2KdDkkVjC)g;k`kldBV zARU@>dB3#tPI}`Q4=0t*u5P!GFP~VIjn4G)FGJlpN*uq#BODuOZ|NI6RC$PC7O)>A zk1eJRud5rBJ~|ZGY53u}`uRB@7^jfemP%#aw1}-sHiBWu%3O4j#V{J zE^k#aHcnVppc2Dy@m(pm@=0ywI?UXQPUBih76>X14Gl#W=E1c1PUD_6F-vmRE#2yH zsu-q#jSvo8*?Fw?Ujnb}_Fc66jeF(8j?ALhSm=~R*yC>tM+Lq_Zddwr#l2VhQ1{lx zP#>nGveMG7TrH*myp9m+m1QZ<@~zZcPou&#bjb&m79=v4$YW}Fe@n(` z77(aj80_Ys2{t1M@pkQ-l>N%L-qS1In&fyOiL~p6q=y6LE95Ls={Pvjm!IcX=b(Ep zb5wM3>v{zRKMaKhi|}|ssP)1{PfK%mRq9?^d-D8pHi=B6Brz}LGl{ujur;d%wXDg3 zAvD%*g5jAWBvOja+R7SA5VlV+>;6kcE-~?pia_Je)8<8@`8V5;TmD)Z@#LuE`J2OL zU%p7~piPJ>5#DpxOo3+M!m*yF1zx;doUs{PrD;fGK6tOj_X*)Ee{PJORr(71-IA>MDw>&!B)D)nr*G zQ=(|k+m9b_*)@@lT9YIt-BE84(*B9{J|~lD3u!Z#`N@!X3&hNL9-sknRKdW2)73Bm z#+)1IQC;tN#)#_#-F$jmRn%&p5T7?U46q+1B2-kvO{SOI7Rw^qlgq zrOG0L%Xi6G>FF^BE?s+hF@yYsx0cNk(cY)I7v#DZ8XUi?EJJ2zXjDGWwa&!yLR=hC zHc!iOMQw@l^Q(-R%08NX3R!=5 z3rEL@d#qvwNEb+NpvMyCLmsEPQV<{G#U(Y|wU3tiXl7_wSc_lBQe$BoZr!Ey^wsmf zho9sQ6N_67A_FQ*gW0LepL~iLN;B`+BU<+P_&LI`cQ9OrKc8=4c|&&W1>wFTjixPnkc zO$yQ#YE^nA!J&F1$oTmVka{KdRc@Gh>F`K#xXhlOa0wm_$X*#JJaFWi!p$?cUsQqC z_-dq|d)J4b9z(sXqlJg+^T}Jc?vMAUqEWgdQCr}%jmk3QUc=610Vhse_7hw6KFEuf zOJT1gDg1oYFSCkMNgq zR=9A^+Bh_sr|89YOp@ZUOT2YUDiAxc+sy1@_jQ38gc%HY##7X^g~KH{a_!MirRVOp z89Twe56dviIaxk34d(c!^>jCvXTZ){`lm{Fxm-!Ro@^AdUkIi4M8fA-y7ITK*IM7h zyOW~|PLxdj~NcvUD^#6%o(kO>K9DI^Rf(rNaN@?X($p-c=26 z>wrwJrbbCknwjo|RHf7ar|58(=g$(%+z|WbmZBEwERSy@YDvF$Uwi z26SvI*RG|{Wk@{!Rw-TL6Fyl?tx~`KHQdyTE73U=j<)*{A9UM*5U(ChXCbEdR&4f|xvFT8vkz>F_{|M<1zNYk_9 zX#w&T>k>y?_*9&bp{oAOv<1G#)@t6BUwdwj*KcV%og1@bBRFdqO>@%!#-nmA%|}O= zeBK_ry@t5?UxL`FD{Y0u3SKT_lmGg%{zzUMM^anAU>2hNpKU(%u--i&YLg_Ca*jOzm8iLf<3l4jx#9l`P*k% zcMM~^>KVBYf^wYNsc#$lx;nN^mIF<75trm|8F%SqAy%>X$C}u)mnF!R8(Tc{C`DGF41o=+qxOls_o@{)ZP+N~ zT<2{?zo%flxIbwNE>~N~>(-NZb68tX%urdqLc7f110k)1 z0vGI6`Ksb~dvUYg4#0sbrA*ip@h zzhTV2?P10A9>oUjke9?(+-@+QU+Uwd%Dn5vGPcd5{i%iiQ+spH!5R7<@rnNF&u)(| z%a;3B2heX};Go>|h(a=LNQk!ZhV_$nUs{hSnryg)-+uRCvSxemf^ET`)%;Bw>aGik zE4v@jROZzyUZx3`n|OjN7a zy^#B+^rpN;yD9p!BF_2K#-4YqEcY|MgH=Ww;K<0FqrD1zY3h=`9o4mxUcOoF8Jv5HV3}Q2VBT$5A0zgmTC%j8%WtFxDnv8 zslW1Oh>pkiRp-2_cruU9`IR{5LYCYDm!QbC{-rYZ&wB4srTR7($oXvPQ5wbS)T-qh znV2=4RNtGVuNdo_{&B6Sy4+deOMuPb5;;|sHYXKV7}v<|mGF$;`1ysNls_Tk_Ra1? zUN&vhMuN?Hi?EATmDMq$-!vbQucy!aJEi1?I_ci!D=BA=MVfo|NA#>EUK-R?Ha+75 z72aj_Ypr;Lh}=^r%ApumbF49Ke#|c)rZdPqNePRjLY_zHHH0_NH4HzbF%F%gY+#dd zN)t(3HpMl{FwAcA_K-;YYksKiqaL^KbNjKK=VoBN292AvS*KgeqO&b3}d# z0t^LXARM%qJAxa;ug#_G@_&A>$f~x+GvHXk%O2a$q{47z8WD?VfOL;N+HU z24lLlRln_M2o)%;Xgr}y`D;XH5}vcM0b=Tg&hgC&yfe-z1)PXS7_0 z$=-;e5ykoMhldrdYZy=-Fc!h2(wBj733^XY4LbYhjAK1uA6Qvxg$Uu>xgK`bOE2FJ zGS;4$9U&3$AJK2LnXIMdV8>JpFed+^}F__yKd;pwU2>}iHOhi?+~8O+f#ds@gfOO>S%k67bx z^+4!`xN;h)>m>D}MPK`$4d?k!<`CQX{pU|4wRJ~mk8=0$VH6T(2^%H`ua3I)#>?^E zF)9o;>eJ#4Y}G*m6x1ufv79|wQ>x1_UGxA55jC4mN39}C%x^h&luu6%Qx2iCvn9t+ z1kxZv{rU>ZkbNevC;#YNJ1u?a?LG9}8cV~`@XO1Wncg~BJ~ftSFwO1W>0n#C#<^5) z=T5M7-$XtQW^bRG|3iVh#&)caNC zx|3Kb{zDAuZf0oIDv+Fa>+4r?)2OZsp!3mV<`&_RkhpHr zIR7L{AK;spe|_QjYs;xY5stsjBli{I`3s0DZw?lgbT2wl!KgbaDJ0a>jJ08ZQ*d`d zS?UtuWaIET$IHum+q3o=mVXupz*FS^^JRzrWA4a%C3zrzLZw(CZT)3^A7dHrv3GbmvV@}I^dqSbefi+kvBdf5mZDMcLz}?X z#U*Muzmmm!_`WfH!ohs(>Oy5h=xG^-ookbmlRrO~O6nJr`MwBYnM0GO!o&4Dgt@yu zg5QREd|X6--)Y{rBK|*?uE;}5LEC9@7BfBlX~f)9E|g+OExYR`ney?ryn=#)LzC}c z_R?mZ#=*UR|Ni^;?|Y^`$7O$HP=AZMdoj}xbIcbK7ZdybGB~i6kDHsyYt@=H^&L0d z*I|euk;q5OyQB1xQ7IgAxYa&HNWF>L!}3vQ zEz{05;Ig5`3VN9xiW=*Fd-Iuvs_QcZ%y;LSWD$R@jEFXJA`DE2p1kXRi~Hz!DfIGX zt}zZ~m4?8eAWYrP!YTSsbgnf>;--7Bypgi2omwc&XsD}OLQkJj9>{Pkl7XH5Vr=Zw zn~sK+M}15l43>^PHAO-eM12Ip**&>{#y?}Xot|CeAc;dh6l%wtKSA@PBk_S&S>oc1 zS41V(QD0t%T8C2Xe8?kWQ%|MGEix0oEdWi@bPtme3v{V>^py6}`Q@o##|M(%A?`!{kEYDwvr51f~ zgHN8+8=YbK@qvMX@`-K{Z6}UMaB1FRpRumG+S>Jkf&)*IRaI1wl-+cL{#;<`PET)dnnjD= zzc?MpVi`PithQr%>RWcs?I%xfB4J$Bo`mtwv`6^59u9iF1>oSv1$sN$ENoe@%(ogtVZT`w^@sxmf!uB(mAWP0EU z)oUufj`GQuzkwe4s0_c`|Eyy~P8(UQ-P5;aVo%01VLk$=66pHyBw|G*pUkizD-@Beh zT`H<=l&#M^j8;~}<)6eOM3Ln*ynXfRRVQXDHKp^}zXzwTVK^4{=+5xnml*xBIhUVu zw7!(%dm2z)UVi%YW5`NG;MZH_leu>+9$nGD|7R7`1^GN$ae_;4NkHvJ=MTKQUvd{f%^CDyFgEtHX2GoqGQ z>+JXCg5qSa&h*4b#j>(8#*iHU6Av#>oqm*QGV^{VDj`?u!fPH{c1_l;x?Vpxx)MLOU|CjzHd+q&`%yZIyzqsK;*)cPn_UBEz2Cr^7)T3 zgRYDN8)jUm1|L9T!-j2-?BpnS+zLHQ1O)}z#jG{Z{?&4xLBIB#Bkfyb?*Q-!yVKI# z9QC~9@RR#$WMPTl_xp7qPtmlZ_qTVPTiYj>PdI-+upyZjfv-{2dY+Wf7?y8e=(ECm z>x!+FZ8tkGP9@ySslJ@EyL? z;N|UYWf`{blHAJ3)Jtn5ncAdk4c6(I?__?Np3aAlhW!`1vZFKaYF^u&>FHo8i}qU} z{#w0XR~^)-QT9Ybzk|ncIcZ&oaf*f-TWH_!UuFxP>X_a~zJqS(U%$E=KV>Gq)%UE~ z=3fu^*N+_TfQACQfLyqeng99MX5NnS#~ga7vk>rdb8{>3VgE1RPWiK@==6u4VXH)9 zyUYKl2ebv()os%+9UXNweyVZpueHrtCgo#~u6Tkr(zL)9=H})C3sC}Y`?-zhOpaPg zhGjFjN!z#A@F*&Fw6`0leB~*2;K_C-em2hc&mXmXTV6nn1&v9?4qXoax?RMA0zxcg zw3N=U@!r`P9j@+=;Xt(lM>#k+3a*Nu5lvd-&c`ZlD|A$|yQJb#?RH-v(&YVAgUXVr0+uM8h?x&#JHC|6r z6;sH)h#iVvaHhAX#|Q)K$%8s#AC6S~`clek8GYN56FLYY{--;0zSyYVSUr(f;>4zF zTWk9V24eP;NQwDwu|T3)fCx|E>gkS}n3z~6gw$MaT|LZ`$V(;%=@}TDJQa8T{DyjR z*E}jG`^74i7)?E9>;S|K&cs7_1n>HSi_Bs3%_imfxhFffFj7*)T4 z6F+7TMoN_K=vbO~Vqziy9m?|8jO?KE@c5Rd6-P=73JL<#R3j!Nq*1BkMr_9Rx8 zU0CTPSue&I-MBX;XOZp1urSGm0d)lArq1=`SD(gCcF{UGIOvYxOz~dJ93F0u2669lkC@yA(q78;OM9~f<3p^h`;^l{N{}!B6-Edtm;sR-VP3Zm=FgE z*&h*YBbET+!p@4efW~sf-92_=2%ZV?7!c&{w6a}11~L4Ux|Gx`RM;Lab}l-a8*2=b zJn})i&G-TH3g+m1W7`z`E-6^o&@lK^TztGhJ=uB%Cnu-$jh{)`JOToC6W>Q%ZYpTw z$PAKSyfB#%)+3SFmiV@qxW`5<*o#L%0QC$`=hl(0n8FF|~ z@ii@=*4Ya4lh{lgEbD(C8C+t6vC$*$3ZxV&tY0r3E+%omo}_QTfPN2QB?!UrVxQL) zG?KCZWIAQHSk(4Hnj&1VI;iJ!=g#4ES;EpvOMOsZ2!=*f&X_fbhfq@j%8*B|elKp4 z*u4HyLLhwzfdn?p?jvrJYffPy^ZpI8vZk@2A^XgE z)v8te^<)W$EwZwYlN1#&tSiM^GXySMPT z4NmXr(jk}Z|M_eQAucyim6&s6bMM#Jnxqu&eTkvy7#PBSqE9e1BH|qO^(1uM_mR%j z)YP2pY_F@RFP)s2KzMuf$4c=XJ9gBt9R2$BE2?g+^saG{Qj$~oig5lFgsh(}NGeVLXwZz9F28kunA&hl;V>+4f_ZF+t0@xYLf@ERHB{kDr4x4_?Bq+c2zzuK5D zMb8d92iN7mfdkSPO-)P?uOw!2e{_#Pl^sdP+Ehh8c#iMkLjN-Gstg0i= z;gA|}Q&Y9OKYXZzdPzR&<(2JBwUmx7cJBFIMkX&M1wy5^*w*$Vc*QGNSc-1lG8M!` z@>ujw!NN*z->zXRu@*}}RHw~f5DLFv&Xkm*H|Mcfp*1MgOe9is0#Hj#7V3{F$B4e| znI7}jkw`pbvNic>f&ig5xigIqpa4dYxykNrclSy}lFZEyAVp@f?nmd7oSYo!&l-i+u!XW(HJ=Fkb0Q$XpzX`( zXbf?Ht!-_|+ACMAsG%I7r{|5EH@M|9&NiG6?)K>u8DB2Vdw6BoHy_IoR zWnUf-s(A1K0ySs58f=*P!N!yi8I8J^~h*8t(rNRZ{#Qbey{@(l4E@>!w8o>I;d0V#vF z3!uM4GF%r`h{de;>r*1rJ*cYM>J}?#UZM{jq-LEM>JqL_(cSO|anilVU=_gQN2I~l zHUpCC;IL%bGWN1*zuwNy0NE2e&qhZd*GwY>r}63+!a|KeU5|hN@gpl6C5{ph{$A~^ zTNl>p0|*E*GqRp9EIhJn7jvJ*fdjd7Wi$|ufqv=Rw|k-5q9xG{0sW!JUW>wDz`7xb zllo0=?aw6u52r zr3fDqPw5;Q;$&dZH8IKFVX)KOoP&|^9gta97ms7OWR0ApBvj9>j0{|G*U>kOq?9I& z?M^UkLDh{+eVu5=l>G+47OLcmcy=N65kEr3l;AG5mO-=nNl7xY#{a(b*@ZltHt9l- z25KiM$fF`)`)ycIl!1K26pt6>vNnKFeH(AVZ~#>jTC^g?*#w5yWgcMz@n3cyAc+=X zBzEoGc|y!!_ijGu7&XIPy8=p{H8tIzmRv_#Q25L4Cc{#$6yf4h!ULZl_4K5sp+V|m z^y}C6o@NEsU~_k&5=+fns{FzQQxupE>6w}m#rc%yrp`&nxk5~8+lb3S1+0An-h@ueEms0z?cudA=$4}8&sZPEKCBP)wL1{7~C z{YP;(G9iwFgM9b?-8)9KOlRG#qjS2-G7G-@(xn$R?K@#6U$_0DbpEw#blnRTAxV@a z*325H$LQ6h--crCBH~V@U%otV|B|!*l!HWBY-<^WWx>QM4#uWXqhFZqNn6{=Qy*a| zf!X|lrhz~nH#9gMJou36`O~Md(b4GPBUo``xRZ{LpZ@|yfyb=!JGX(cDdc)10ZShe z(j)Falkf81!R2U(7lm3EWB(0I39L1Os-~2Eon2ikI5^DV zKee<3q~@ih%%^#a=_lO|sz%rMDns!PnOj(JmeT}>*j*W&1;Mt^f!TfURuNY*d_3@6 zfH=v89fF?e4Oirsb$<7IfiS_8XT9y}l0a>8S65e2ktDl^kdP1*D;ntVoz;B0iQ3T6 zaEv$mb^r+EX9O4-m*2rvR4nD9fgbKd{RX?i7>pYi0lMLaDkqqfxMmS|-`vGTtj_|f zA86_Cqb%eTG`XP>8(KpLEQJ~X#6IH$jZXwz!xcop6lH0ig&X+!`Cn~+rC!+1j+;6# zAP5cDbbS}IDU{ATLg_#Wun3z8P#)XZsFsj@^(tXCQsKj?zV7eqI}ee-K`*QRg{G)s zv6cs5RFAEVP4=#HZ*5^V@jUK3!f21t{OVQsonq@+CVF~$0z+x^%wnj=s6{hq>+FgR zaos2`&b&VxgJ%Fs!-d7fnB4O2+=@|&wQUdI;{`Ep<4kjVduX=hb>|=4BsRA>DzyO`z(C%wZ6jmvZd6s( ztsv0LVIV@>Mh_3~qenI8-o{NA9%Xt?Y;Z{7wiQbN=ttGV^A|510Bnc|k0r`!x(P+M zI6fW9lzcj5R0$$NUCnC+uI0^wObyd!ASZ1bwvbOmTrKMe}Q3c4A05gNSBG61?&mC z8A2^^me87t@YFVk(|!}?=1#tKYt^nQ*nkB|aVJCUR^-oKOsjsu#k90hgkc5%OV)0C z`jmjHO;FSHZh5zEd5n+t{`F*i+ghkjY)Rui)TN?~w>4|qa5Z` zMRaU|(rbad^igUFQH&a3m3{ZF0;VKkXCe=MrGrxp1@@{Rk7i*ektVN4eg>SI(LFHA z24mPCisb?z6WBF2Hbwv*SBF3w$qTlR&J$kT?-P9p@zJm948BjcwFKbAe>ZR5?CakP z4UN0jLz}UIDkl2+_3PKJ32QT1Sy`EznRP9JOJ(m64^2mL_Sc%)Y9h8ms8~K>VY>aN z2!C4|1OmNpf-GUUaC7b?YZ9ztwkPNjFy@I%uw@`a06;c2?qJ`B_XHQ5ZtM|y(OcYp zc6+$3tqp^%;-GZ5xAR;KJO_)n&R8WYuJ$b@KnCXunKBTMJAp=Ta)_0jI zcu|s=9Kdmm?4`)a9{mLEbZ7yD6<}}J$;+27M;aJC0o-mpJ%!}s&0Dvu=&kqf2RPh@ z_|Rzb91{%`x!XWQPR@+-%#|xoinTp|j(7r|iR??hk?#11$4Me{kMm<+-zgWoK+1i< zWxO)BCo3nX;$2I7d%}ea{fH`sp1JyN)2r975gN;9Mu>pDZ|O1E=&(6x3*?Ke>{X16 z+{6YeA6H30Jm?HGEzMrZ3wq<&Kq4;i8yFCHuqWni)X0}F6|@94q1gdT4wow~E)Iu{ zhaHN8>+B6};_VG|&3-*U2oPXSRH~?vY1tFli!0*jz$dWl(W6HY*RFYlVH^jlB^1)1 zhh>S#+%OU(>=NYX9(su25p7x9N=izgYgvR$0s}Ozxo?8mcDA>_e@$THMz|Cd0n(fk zc5_PPg}S2L$tO>AW7apM5znB?%wwX5$BKpixg8&eh9X_6kHj)0zJk@7n3#Yb#j_Al z1iY0o2(7g~vzZ+#$q_&+o908%#Cd%Z>2<-Z#t}zRn86t4CQ+^DP;m?F92``7JB<7> za7+wpmB6obm+#)?OcPO1upnYOzpOHA2hgeR5H6&|v9o7eFi;1ii#2Q32(f6XtE;=a ze}(Pkn9%2aJ1}rDCMGbY>Gf+4d?yDl;qOdk&iXqzL})kS5Lx~G{bRC-!~-A6WnSOf z)|trV9HEiw!1G#@a89nSu5eVUEbmk8G&W{sW2-xRL;yGUfTLr@!Swp&qe~)Tj(boavr*Mo!LBnyqebHjhF&5axt<%U;)r4P}@7S zv>Xo{sA6n_KDl^N4nVi~{8gX?=+Ff|KSFgkM19@;{zv-|c55Q-|%7_;N* z^xskmxYTzL4hm@rrm_{2l(h!fqPLH|jSsOs8WAjhWhFjdjk!^6X149cDN3jg1^ zk}RUhOC2VQ#|b9=d#h($zw;*ayGg>6M0y zgW6(GjT;dJQ7P^p9GrwEu8sfsJBu>XapaP`w>z?nGAkkM>P}8qVIGNig?uxQ6~}<> zo;`a8)()h>og%=*6mxC-R^=oK|2OdD$;47y%lIt)13WTJNGD*t!p_!HA3l5_ z5-+1k|0SnKq&$BwKp4?}-$Y()+O?;Y{OG^r<3g?%c8&h|^`7a;wLzb=`_SM?Lqm$k zFoHa`-KC9^DgF14t~?EwNX1K)wMaDP3MJY3c7>{I1denD3pF$esCUPBD>UKC{cDB$fvRxA^{%)fah% zJcy;JlyLtSnOS%L<;ykumlQf0D~SFtJEX^L4VuSYaa?bO`uWaGRP6{U;lnx5Xiq6dz?y1Gx0zuPY_A057#iNhU0W~Y!eh>6oL zeAfM!WzNYTmsk@4YU}TRzdm`i8JXKwf%bE!tmVd!xF0?YzzVaW;zeTpQoQd^9ym!x z`?_BGqL%-V=52J@v3>j2UPmXV805{vi<6+wY#M*(h{s|I-T1s7G%`i~>rdQbzo6HZ z?$A_zA@!`Lgt~?odZVZak+x3zj@H%~P-$$ZYIPon7Fdg%e&y$mRCNdX-!_S&5kTlA zsNj!(^ed5eMus@xu6^#!Lh5p@Il1ba7u{NoRn{R6rD;$GAWTF)8j!-%OK-3#B<#vD zWWQtX!aMq9Sw^kllaL>7vU<2I<_@A9Xy>5`Pzi?skU&M{0pQLfn?j%htUO%odMSnLV0e5oGP%E%R)xR2qp*19E=WF7LL>aO@N`nn9GqP6s!fvsh;qFok(A? zE2*f=--Z-3VdG{k>DXf?K)VI-R4r~F+NY+b2EY8$Alv~!xoOWcoNV`6S_*-fWOIv( z+#duk2DVFSO8o=0xRbMqJg~;C*0`Mkltm&>)LN$O$GDoY$?nP`BzU<=6}$F)dVx;s zaFsaE)=Hq6Akr#*eGY}~K>WEo3=m1N0Q7&tbQ*g< zoyrD=K%$K-BaVh*n-yUG3D39$>==Xb?_Wubtmm>_D3AQ|^{ZMjvR$lakXHwMkTK8% z=h4Y&0N8HJN!BaK^B|S5@7cb!K+XhuR6958YXr7~>{b8xG4ctd#00VZr}~Z)t~{__ z)5+jqQ`_`@l5=wpAml*V&xe1agBp8n!mo#L3Gs34#UAlbv z%|`9G5xHivwf?W?5`N$&NCBd?pxF-&4k87Sn=1rTY)01>UcR&I5gXcn-$~MHctkM^ zYZRH?OjkFzUO=ex26!>2TdDpKa7#-sJ@TsvF zGK9Dttcf6yx!II7)YlVH=7%ZS>_l|w6JhpUo}r)~N4%IZLWM|)=<`D6u{e1A!omkZ zXCZP{iUpN127aA@Qk=E3+ZWcuL7(RJaPfw3h+r|wW2rn@)0WqIG!FPr# z4AGq^9-wTcziDVq=IU>inOT3uPzK7yY>z5(eGL!R{$D?)q)mVEjWf4>&E=7b4-&uPk{tzd{O}8m5E-Vz6 zlJY<_3(1axMTsPS{tP^OpaEJ5j-6jLB%f;5%Si!8!N3^}4~d)RiveSOy}in5@24xV zwejM%kvLN)3=$x2CW}Eg;VlFa9VQ6G{-o#qhYu`p>GbsjGlVbQLofyIH6=aQdjlxM zbn+~}yC4xwu30^vPS6{O@GcWV`k7uZNR$T_fa@TUjA#yePvnZX?1%8reN^x}_Bsw( zExQ|sTwKn}xH%v`W@VL%B$BhUVaA4i{FSUOhYzC{xXR{x!rck$;RII9UO#w~sWY2d zk8mm;bU+%H0uB7Ha&o6zP-t zu9^O_;#4*ZP1t{jRMfwD<{ zZwy@n`t)2~ql1YfZf;OJqYc(#1ZhN6RL}PaU=!TnapV@hM~+0@dk4D~$YE+=uzAMy zY3g|<*`RJH^u50PC4y9e zoh^h{c+P=Pe~=Lw)CBc6xEdo%ilAKhR)Z}>Qup1DpFdMy?b}_Sw}RXEJRB4+uM(M5 zH3ZJKZL3506XBe02N^5$rEqX|t{!?+SNA@Wmn0THtHsIt_w#0RK8E;}?C%#G`TCWj zz_-V5x-TPc&a!qb;rac!8n}3rAO{DV)Il>{U0rw*xOxbrf&_+&pogc|iWs)&qJ=_c zW~LIO-GKv%m{&+7AO&Wl< z3R?kI1p>!2Ipi%{j>4iq)j`KCJX?zdOfH)T3bmjFyAkLVTQaN1W8&g|NvtD6rTB$R z{a-=9rs6wy2wO#XTXSrch_v+T?rS+Ygn+A%*EyiJ3kMFSec#R7H*Ty5gKv8_$G!*d zaVqY)EUWj0jsR7%wMJhRM3jg+awpp`!pDLJ#_2UPo7&bAGz>z|UAuOTFdj4Dhc)b% zDPFpGv2tueGVrn{aqw+C`=@`xTS)cdov9eR<5tFZwRrI(48OWXm z7--y-J%cflh@S77(i_@{VJF1n8XFsl$AM`^`R=wUoBZ!dlJc9K{L_F5jSc?f6UFX`o`6iO{j~}L|r-J}QEbmU! zAWgM5QoUc@eSIepAtCHkP|NIn6o4{nBkXMNQ}~aqx88jpA4hDbhRW5$BXv~BqBP$5 zJ5x0GSlQ%5L`Pia5dldAjPor;D&MLpiBym`lam3YjA)NYeMz|(R_60>Tu&H ziEWw{m=!BlT<$|M*CkwwJT5^Yj1VbJY~hw;Fk~@zG5wvmfV0nocnEkvvgDkpmWzWU zgF(D#xS1nmfIuxe3lhP5!?Uj&E=c9wyt(ox65Yor65}*Wa0;E6@X;^J&fY+Lu|m6y z7HlbwuxlPDpL*k$k6K2n0Z|G1LN)azP&+&?>MDTt(o~y?ZYcshsWZogY2~ zl|`i9Eh~GCOmPZiLHFrVf^+a4-$Rm;T4g{m2CtYxlq;Or&!I3(0~e9*a(eorw7k;N zivbcOu`73P5%D)N9TzZCH|(Q?6S9C1E$|!KG#S8c!nFri>%M)}rhARmZ(tcEFFca| z`YYEUCh#XV#vOh3Y(O>`JdfHJGWMR$E#%?hArsG=cXsFI&D~rPA00Sstes#6TrDAzy3{Q-v(m!#XFpb+^4$<3SheH1Y-iLnjgCb>}0*-qRr z{j&4t+5GI3DI&Uf=~9Bdu|PLN_uAE~U2E>+zWO?s6WEkpNn3kaojG7V_U9UKE0RU6 ztCk>F#LvT{eMv5%Fmzvld169BXktfOTX$#YIz;}&Zp^CDK(=9mdgkf~MbWqH8iWtm z-en%tmw+$Kw~t8t-1S97Y$Xsz`#BsR43~kyxhhMfeQO^*LL!Aj+$P*?d&T^p?CLU{ zCs3L;lbwoAo;8Ogd3g?lyrLqI@n8;%8qWaQ6QViK&2r1K=I`CF=B^Agd5D!&Q!={} zuJ9&S37NzsC4uA&rXd!J_Pk(iSubZ}k-i68b@;jzwscwxa6i0p*65=^C8ZBbA-0RK zhfEwC1Z<*-ij7TQWKXDb)xO`?9rCU>1YQ7?gKE9C7_15RmMz8U=?^XQL3ThzmXO)) zsEiG)ex8B=?w=UqAALZn$|bimNSn?gsQE4Q`epDA=#GYJB!RRCeW;f;6Cm%J$HdI6 zH{RFZPw1bZKX(E`b(t_1K`b9=L3x0+0Bytb1ftpxtE#qNk~6-R{%$jh=3--6z zCOFwiq~PXREdvfGWA8;sCqmzZbaJ7McUoS4ezf!UxymKm{5I@3g~}$g06HE)uN~XA zAq87#BnX{}E}=k?hmIUUZwOCN#@=$@+ZS1FIrOTSi27I0a@2U7rs)90NzMGoWsfDT z%`~Kl4WUbXkxcn}S6ioDiKT5rDHU=cIy&^13~}+}H-FOSUAGbTisp8^6R>{g4?Z}u z5wi$ix8v)JCr=0>R&xgW8fRkO78vG)CIf7ZxeHFr-wg;EGTr_dc_0vH4X@Cr1 zb}y2=YRIn3h^j$-0y>>OP2W+|7BJ)XzB>%$|89B#1LKzT*^5p_I6m6~$d#XG=ISAg zP1(!#Lfh0)oCk3~W>uMnmX<1U)e{$?6cnjMzzi_%3fs+)!r{ty{?pksAsHnkf`Ew+=}&Lt!uO+ljBgp6^_-Ak7^|2{yd5&;j0 zA+ixnq;V;@F-VSsSPTad*8yeiz&>t=4@YmdBfq0UWo4!HBPU6e&wn`#4Qe!NB<5S~ z(J%Y(!DeP_i;J@w&s@C7PEj;KqcIAF?E~=E@gfWU7MHU0XzE5}`*%4TylZ;*?JagyY|Qe}FF0|JywD&oE$!rQefH{=8D&$6yzr>8AkmJS za4M9>-}n&_V9T+F2JM(T$Q$7l%U$5YY&l{B+n}Yjly5#*x1Lj|pe*!IHiVe~kUC`M z;pPUFqYES06*UV*$tbw|6`6s`C#-B1>>5B?*F2np6_T`*4kQ`!`O~diPnMS}>KLTxc$R`G28st~7BtDPSQPuY^Uq-lmjPVx zAnW>DaFJ-2(fWRW0ppexcpA1wUlDf>PiNJDLSTOjHBs~E(bi(9iRvEYBX>iqLQDbn z4Kg;^A3O;43je0aZ2NeCdPZ8>Li*i@4~r5maLDCZ7@Q2QVL4@6&kkPXMT(E2O%XB3 zF0}sTYya6&E_5s=5KU`Rtu-53?UTusfU|HAu}EMo&@fh)qVo{&0%S)^A8ts zkw`md#U~KzBHMz38A3FYP_=^Sm0lM9mIB%!Q4kZoNu(YL*w6I`X`l?Y&fL@#Ag;y+ zGYfDpb8~b1iqVt!En-sydFrh2NmNgJcz~q_?RGbM2bp|oR-L07hx?b*>L%*jYT`I3 zz#AlCue>cYC~i^nZr_fSU0=s5<2(4*NFsJkJ8m`S>cP|vzqvBKsX2p#mcukQsihFF)CwY8m{^V*&0mM;BO1ru_0c2_G={-ZlK6T+jw;;g*9IKoQbdw#X3 zh^0+LO3DzrXjXz^Vq;T)sVbZHZW`|IM~O<7#W1uC3b&Ct*j!Mr>O@|Z{hxzd!w3M@BZ?>ooXJKIeg4jY zwt-rsH-=Ex*wg=-vt4)psWJF08oE_P-=SU9Z3+cYpuS z>EO8uP(2O-5fSzOkUefnMs*js3hXG^eez^)z7d>@rAwATx9SWFHvP#v&QxpehV|^r zNpN&@_~mmF#624Q6#r}8 zKj*OZX;7zn!sXeE7hXQW$N&D)o~Q=_{lmk1P%J@l3~|K~wFKSP624)?u74?pb@1iK zSjENa*Pv!-X{86Nn>hbU2>(uj&&h_*`4~r0N6Y?BiU-ijYVAn+^HL_b*;#sG|7B~h zBhKsUs?kIJzdfC*O(#*-_nyb`|0lyfTNxdBgMz=rn*aIB-INkf!W692z+G?++51G{ zz>6EVZ%e!Rg~41c*W4BlooRqo69z$X_=ubVcoSjuJAgvTSnZt+!N`luo zp>Tgmd5xDp{~X0aNgVg{*@B1y1`aGs>pg_d^ve%~v?0RB&(9An z8?^FlY)c{Zmyor@nr|k<7LAQnT7~lm_ywRaB5@G5jRLpK8hKx;7@wW3y(TTd)Ufd) zL|Dp?E0pioA3NxUjyUNg2v*crTIA`C=U0-NRM(idY}qpkzS}+_=}#}3`tc+CK+2!y z$_Kbq5AL|We$p}{08xk=7i|(m&O}IMVJxa@3^0D{KKvf?e<~Hu7d2+eXU>d~?e5*T zs0y6}KgzIo5*hJ)I4LC~<6BvoLNgC2EX^VmVDFqgG5At8a#GPJ`oJHQa#Hv%(f|63 zbj!aKy{wG)=k6}U)r`vl7Y(doOy5w#3Mdvd;#Bqg>?}xAV$yo3{6DnTNer(x{rs7t zZ0LzPnGh8}#cybY)(~S>ua906E?AhEd3=Nz#cXfSOHMwU5LpRfWMHvh^(jp|qFZFc zK-0lb1}Z9nI8S%4I$+8kgdV0QG2d2U`q8ZBQG7g~$D7=T_}dXoP*6d|y|nU&c7{lkmjLw8pD3o;E;eo~j0zw>0@S=7>m3Rzy!OflXAwngXX4x?$YBJ=L% zQLiA-Z!;Ivc?1;A)`WHx3d84*9uXr9Co@4p@7sreA&J+KL3Q5)W4G}M38j7Qt*t|t z*agHG^Z0*^r(MrYs_VGwZ8!60vSjz}9nYklZOB{_t6a>?2-5u)yLWpNTpl!Wjk1ZL zCOz2Y6_sKF{(gwYaKJ8X1<*=kkQ2hVKdOm$2??8MXnNi$(^Z;@f*kLe(wdN-x(fM% z{Q3V(Zy1*+B}6{LI5dQu!`@(%QLt^hgO_A5r#(Y!msEr8podhAFyTF#nsj1 zO5!FXG_24)5%TrUXGbhUU0F`9_4%QK53)feoc+C)7w!U2Kr?B&|NY>mraYevZrng( zRtf`#aPRJ20o{z(_)fU)2xNSGew{ykKprQM-a%t+iBCXaF6@;5fveHjN0WAl@$%l= zv7q=`0Zk0@5uXM=EkXV8fp>&9oWP#s0xLuT!$3L7cH)0RTVPj}n2w%DZCnErL2^h7 zWS38#z@qA?te4VOPR@>|rpsdCu-!vZOK=^BH~t5BfdO1B2J5o2o}R^Du7|lDt83TL zuRH)pUnTrEc%$e?uR=7?_gpEEf^g1Y??0&#db$e~(5rJ=-z-t3ZNoecgd;kSd(ON# z{0=NC_5Le{w_afwU-LiIJPpV*Hn!)Hk#&V`F^`Ma^}?!3nWy~AmxEY#0AL~G3{Oc# z#l5&}`wI#G^q$gGrD8va_k%}!xPhH!) zj+%k3D=3hWmHpY?9^QA10&)~Yc!}dUfPfLYxc2Ri(YX8<>{5ku1Zz6r;!F4fa@HJ-hgpc=5?&IU*gUMUw7c2H%=n1Ad=<^Uqu&xxIhSHL@72NWuHV8vd70GfqXq%AXORP7gJf>wo1AHRV)uhx0)`XsGJL_q7 zpY$^KfDkx%{by~!a1e;pQc1_`ivD@~&z<1-br$iH&lxHKOyrh)WuQ2E<`xi&CZ4A+ zUPyu5W>})Tj-Qbbwvl>2mmSVCQ$)bOS25_8xxcUPNob=OvN2u)o{Fvu{&e5`I8`z4 z6uF9@h98J_^jYCKcq0U}u&bj6=Q|7B;m;!>;$SG;{no8*Op;tc#xRwF&jf@7U_1grBk5%iZpXdgk-9NL zFF^p4=^)B5{=G-hRTMPcnOndmEV2*aGxa;;Y3z@%u`3a+qe};-%MpKxtLAXv-w_6$ z4qZ_Qt$?F}h{O-UeMTegaY2QF!S@(ob~wejySvNFmtdT<|7tXosMA<0el_3)puUi< z-+bxE$rYewWo4Ds1h#$P_AXO9N5}g(P!h?=DVQwfa@&3JJ)eYx3xpu7Tz7%7IMp<^_?pASl6ROv9bCC z4YfGLpMZc(y4jEB{OHW~NE4A56EeQhddkY1T%{}Wef3GNlBlq<)%`W**E}l%wgUN>ez3X0Zqni>(x`I9jY{?)_^IGaojy&|?&*JS z4<>Bg{dWa#m$di0YKveR7I6$o5rS=^TG}!u(7biSc_})G8G+OVjlXl zE#~%kPcqQ+Jg(7%m_|^i zgh=QVan6n!Nj2fS9Uz2oFj-~@kKUS0!KdE7N=2t1?~QP5*2Vdr{)eT( z|57}r<_HX+ijj#v7y%5^WBF5WLF+tBMD0+~*7hMenf_i1W<-x49z&~(m=|s6PGAeP zv=r;tw{nj?gM11s_v9HqLBU@)Fl}`XmN|L|c3oE4QAoibUR2vEz0EX3`vPGjV*0d` z08<1Y*49r?`Inwrl?g#5mY%N8MYUV%9qLOoP?9cJXCb_lUFaZMi~e=ku@9o5=?t{zlnSIZvWoB zSD;lps&UWM-r3m*>Wttjfb3^H{=~Zx;ZVZ2)l>G|87oX93F)w~)!{q@afttZd83YI z)28zimCOyN;iMbo{PQM|D*M&1w)^3;^X}b4-#dQiHl+^Nh6#n?70Z406wIGIjwpHa zw*OE$0RB2T@+}Wf>V|8O{S1-cG$I$Q#$AF~1XFZPx*3r2(=^yVKYG(1w*tp>zNpO# z4p=BTIrR}?AqKWUgHwTv%7pvRT zaRMdI+va0vpk_*;?9HF?vGc_1-H!uJ_}tk~ejW0ynk}Uj(qt55T1%uA%)M>&O2xrd z_>1~PAzm21l>)FrAB>b@ude^yY7)3dgaZK9s1Tvo#O*dQi3tnauBz2r4b({=<~81S z$lNYIf4UPom|$ES%sR@kjjhYiG4!P;X=z$XfN3p!rcRm|`3vS|7ep<@4xtPy9hU~O z6g{E;J=cyn+Y~2_H$=#Spu^$>`bfa{)sawDKu!7W`*#dOr?rEE0I7vRZK5o(e4tRu zLQ%izC@&<^5RDPQb=_yMrcLG9xw+5G%XXV0!8h;~*F9n?A;t&MZk2S4fCg#kMioAE z1}+0R+1YgvT0vSGRNd61+2&{g<04egS=Taj#ft}aWl%iH82%oIA`M~=c&h-E z$S;RdCPapk5)GfxM~D3k3P)uoH}Rn*Qs^#sD!)Wo>Oa1*^bj|T9w3TyR^vpY_5b&i z8VJo7(h8CvqAJqv<-^QyFuxe_8RbO@b*TnIMBK?CK{tB5D~eRor96! z30+8%E0H@>fTyGUe58Mt0n5EBP44w@7kP*H1(~4*K{k8V3iE7R6KOAr^d0gRCgG46 zFf$V(UP-ZP1`rL0H>G8oDMGY!6`mg^!Y*f^TsRD&7~6fE`PjP0A-lT3KjDAdQT(0h zcWKnCf3^tL90m~tX;sJEP;-e?mFF5#@o2{ZkU9)Zm zY56qf3_5OL#XnrJ zfeJc8gM-v4Z{MdiD+Y4ZDd?kIyW^di3qTF(GI-u0O`50S7}Nv1%k3(}({Q{!2~>=FXB< zepmV6mw-BZkD__8nJC~oK|a2CTp~2Ds9}J!?B0!{hC-)CSrN8thRDVe%b4?>eE*P- zsex}h8=Jqp8|uJ)*@{(V<~z#-EBM{)?WY06EXlo_4Vj!Ro+&p;M`+BL0vK}% z;usuC97rpE48@+Y3JeH9xj`TXsFF4yCf;9wQ_P1x07bnN!3 z(rW^(IEXPw(E4cP>$je9u!kTKmHgsL7p<=aEhLWF$%Ut9kDpgirm%&hF8h3`{-CvY%t z+GhHBulnu+6Z4v@A~qel__Kik-|PpRCCq{N3MIm$K417CKwcy#XLQ^l0AP%8FM1#g z8=LG40gJQGF{} z>79EtQ}%r0{*#}+Ghwf{fWW)Fk;)rJwwSN}Tv?ZHZ{H}#)6fsC8TJ({sVSY)VFzxDkI8=g zHQFULacfU%mh@pULv7w~YlvRw7g$Ap+wJLy8n_1AmZ4@kTKP=LvqyH{=T zF)>OI@$g~vx#e#dn0o#khwn_JrvEt`cs~Gfbg9$S)WrJ&QiTd|YU)F`7w!6+0Y)+M z8);}HSH?0?>HT@~V-dU_ckZxh(eKESyEQD`h38O|O-VD{Je<209W>Rqdxa?C|d9dK>oUUp?;rxo+N(-Ok2b=c7r$YG}d9Lne%2L{)ay;Lt|9Y#~!cX#SLWnb6yhn3wgUZk4jJ0NJjoL(si#$7s^LvMB4h5|HBKHPG?`}xj`|go{ zoH(qB$!*+d<`_>nLqZ+_ogbvWX`?{PA>4vo)g^&>SqIS#I%1a}&%RsBn~42y|`w95LjQrf)GoX%V1BVDVqucYX6lR7hURwDOp6Ot1;y6ZIQ*(vJ3 z$<;SGvs`GWaO~T3n>qTh!nL{E0pgPxD?^fGcgx{>I(z%K-yog&SX%d}VYjHL{lKTE z(`if%MI}dxGDe}IS@%&y#KB$5;+RP}bNci!3IGonFe;xtJKz^cMZ==RX?G=4^3b8j zU1Lg$R4iMzI5eEtUh^QrkMw0}FiP&)w>^>`LqTl$ndMb2;=A`}nJwKkmzn!EHL zn3bzPGtN!Exja`p@yqWpMdF{6Mzk_Rkt~ssMl~DwIlQV3d zko`E)w*!aanR@5uEnK@ecC)MhdyKIIW^|DI@$<~tQvQ0+n=_7j3k>m&`#vTuEw^k9 zDbnw7b8r!qdeONkE|*@zF69-W8|)&H*1d1cVEfG_ni$Mj!@VT~S;8 zsji`Ja+&V7O-xN4B=fO6oIfU#@20S4KF? zo^QMn>Z$g?D)6deI!Yco1@qII7q5(u%ncr0DVocpYSQ>d&hQxQnK4{`HT<#tae#6g z%}E|Wm?$F~e@5_@FsTpl3ypV9j=f0rU{mX&y79qera8Es`?K}<{LElj-`8pc=c`1m ztAUBem|c*c*L?o`Wb+yez=%eyEa1$_gIE-vCz4-dG_a7vcOT5BXz1yWU=j{x_a@s>Tv3*$fbk39MIhIOT;*AM1Gk_qdcM5J1m&<`Z@xn#H8>HGavSQ|rkxNdDt$DPk`n$3j6JWM;NBVQUSD#GvX< z85D7`@I&-FM}vR(Yz}@4y#}0^|M(s*1BWvJVF!o=Ox_=JyZ~^DvhGr<67q3?wt>%W zq`n9#8ZsMNPcs1&XHpoQV!P-wB0v)ybU@d`u%$D^U}Y_eLe^2@G4bn4#8k9jax-t` z!2{#9fiD4&ozbCs>(WWAViF~-U>g7s~UFE zP}gl>nbvS^=nUyBSusqdYc0Fyhu)#l7bh#s6CrbHF>p4(rx$3~aB>o}vBXv%d~jx| z6WFz}ve*|=Ke?24smv#*%VUK*FcU)nM8V5&lel7)-)K|yNkf&7I!90EGTah94teb|?8opBL89yrJ69vm8`HJR2EM7QX67^W&T%@;8+?3fl1H?Rjk{@u@@=sj zwbowlS+sRWt_VDpL+4=EID*CYxyvJomv8dni2C~Yd@7AO0flrC7OSWT73`^PW|W6j z&B zm8*@UCYr;H{F#-o$- z?bo42tjS3K_cL5FKYjI#zKx3Wf{ZF6u#Veo)4ST`2;bC2TfIKVoHyE<)OT0OBDWcU zp{-5V3SlYqN>mf9BV|`7%TkL-%UJ(#G0UQ9|6J6-;Gp>7!$Yfgxfx{_yQ39+AwqMkA*r@s%V(%2aO zy)r({@e=~*R{U#gt{Xa6A?X?y)gNdaKmiz$Gga`*(Yf+hf7HCr0XlEEy<;8w(fL-> zjE?#_>=Id=>;Va&+w6-GS2M>>$CjFDHkH$-KVWkU&@!_&*GezQ>;uX5mrPrBY4;C+QrLXH_dcr-&BO$@mG1`7`jaqI8R2T;!77pH35L&vToS9pSox!E@)^R`k~rP6cGQNRLu!z zce5j)=YWP1f#~(?c)#7Fl6z3p0wSi{0B8x?3HS{isD~v{zeS7&v~@lTbgKKnB@j#= z(|>;&zTba7&AIvmx^_P^e2sERz6unwI%$2E7u07I>V*tFY|NBDzK%IGCQw2Z!YP^I zG=5Q+w2#|;wgG#FO-+=l#5sxN`|_r_zo+dfZG#(~TH^Xh)OVhilfsS|k(*t{lO^wu zljIdv{Y{S@JNEYJc%~{WVH+D8!K0zq?;|_PVhI92KW&T2j`k?Jx0!n&ylg+PYgZ4q z+%5tbVZX5Jz{uS$&xWsGZ$I)2Z^vF^^Cu45dMYok8{#G63Nz8{(pIL#;UPGTZs#%S62 zm?OJS?Z+L|ZWEqw5y}+5ZH|hguQJ7aac~tWVl(TxZr1XLe)juz(FZGYhUadp_|#mV zAf*!N(o2(dRl~@L+~dnl!ifd4!<_MRcfc;OV2-oO%Is=%Md?zc#KN?_&AyMHRFxFV zlqx;AeNmC7v{RmPY1PzCP+1<60dt|5A`a>$kDWtbZp@Z5mR@_OvrV4^lP}Rs760qg z3knNw&Xg>6$c>AuGD(ML>*1f^plmQSo)KvW^kxTHyAZawmG@cqEX>cFL?MRkh3)mt zn>9^}aW)tXAq3r02n&C`#HtBt>fiXOWC@QpGfhKF)p~c;RFVUwY^p)g%FxrO)vxXo zERy$k$TK|*tXq^b0URUjU794iXAcw&ypaDd8W?PaOEah^C;ruMy*0*rIXieL_`c7B+<0&2EycJ~(Sfn(S$u+c>gsPXPbTTVXylfi{i=YLZ>(#J*TGnlF;DKc(GG+Kz7532pxgDO=|6Zv zj%GMd7;08?*yOIuN+%Cyd5gcwq%>VfOfCHA$+OX3fl0&YxA%%)IcasKp4)Sk$&C&j z?q=Znm_SPJr0w@v{OCBE_Pw#-m{0snw!QBspBQ+X_`Xc%Ppi{VmAOaw-bQO5t0~o( z4b`(r9|tyI=-4!=Ad2wDeDtk3GAk!bj?2+LW?ef^VMyI4#%{mW? z6SNX-J)1V6oXJaYp^#EZ+p#4F`CQYn0Lg>XO$n2Ms^vn3izZL1!figD?%bfMNvCLi z@JQ}TJh`)|AMy+63f3N1mug!mY*Fg}Xe{g9_0pBb*Jf2c8sl87WR?vD+It--MTf% z8;_N7B3o_Pu0L7Has3u)X%O!|JAjcYJ4jAvVIzm`b=u0y-B6n0|UobxzJlOh}f!&_4)k|w9BxcdrGi*#S?4{`T;AF@N*r_=8Uv5C$~ zSW=R$DAAly+IZk-bcJxq1mp#E!D~OwoXdSyT~C1#Q@Xv{zw;(!+kJC+{Ln=8o{>_y z}jE`nWvEcpe4^DFX{ek)h?C^-C>j3#&1dafOm&c8cuP82NkI;o#lD`((3>PKOe{L1Xg72=wv=1(gd8ymxf z9bswy^P&1y<+g76A%UgdK%umEBr;zVGInX8)s(a{wS9Y$CmHwpPB;)4rSkNu&8Jnv zW(;=uB?RaB8wBLtj>&OfaoVy9qCV?5Mw6VFHnGoBIEl`e`Eq-pl$SGf>A7dI5c9J4 z;vVlr+wTiqp5*1Z(WWj2x!2`&%seHgu6rYR{kI!tO&3g1H^wl1Na}KbKR4Av5g4X? zB@QCN(Rw*@xrm?L_D>rt>ClVt?G4knuhB7bzsJLLa;nq0>%Q{65`U=>XT((PmEpK3 z;n3nNi2#vEbv>v*;We8CgbUEOM?4+vr;i_}Ezm+78t3ykvGSAiynvJ@|)x+vTube(MWw z&Rnt5cq-6wxKcg)`r`2fR*jxt4-RSJh%BtnG7iCf^h<4cZ2PMBNWHBS*xW%8_ z0XTM|i0pyghxIZGoTN?d@_VrzvO-m_rb6YAg~0ry1ChC#QkCOtP~|)v`M?I;lI@@a zYCQ9=sg*o^mp}kK2SIb*cTUANIPB3Q5YYmoY>gn@2*YA&4meMoAl&=75Ql`#PNZSb z*)$)T(DmPN92Ji=3BoJX3z!U0pln z9Gdj=W6_P7y4I&U_ztwGlvo71hPNxbJQRy_3*$kly#`o{wu0gV*PsCb&7mnl3t?<` zb4g<@q#1&Ozwsg#aWB#s3{N0TxYr)ci5DNDZqxPRAga$CtaU_5m$jke{fNNnGiPog zQ9bx(;M{pHF{NPs2V8GW)z{i(x>M&Ty2uDIh#3XqKVAC#>!fV+F=t54<`TF zFI2Q@-yyU*jr++hyIX*;B@CD(+DroOtY!v;j=qsmFN3^t}$KYijmSOn4#)k`b09-hxw} z6aZP|-g9p|LZ3LN!y?O*?VOz#xOLW%lq-7nMDPMsMSEA`WXm$bh!M6f*U@An&owQX z-4d-)_*l4eJ1$dJY~}|RCNo{lBN0#S5Q?5}YrHR7sl^>95Gj5ts8>YATT)LvL4sl- zHtY-)F8$(oa#qc9enLQA^m_gjmGUz3Bb;Xf^KLUc&o${xwC7CVC+ghi!R%R8@Qw@n z4jkAt`bsI7IhZE@qDCb(fo?L`E}`B*Q%0- z?8!Y&LMt9dRdGdTh4T^D2cLU9fWE@EJGNusLeUa!83kvj#BmWtU9hCVCC{EcOHBE= ziDJ)@*AO;JyG(YY{=RR@(qi)9iuAQA1jlaN?aK6!`+d%h+Zqi!UjA6mwZ)3X(~n0G z!F<#>h%){@(s}QsbY(z%&IQG(l3dyWTBgx#>d|*`k;fTwEx~ccKTr6wVM7tvqNhAo z+$ZQ3)-P<(iRQCzOV6I)e}aZ=|Es|L8E>5POm+Rg>O{ zVV*sf#N_$lk2Pv;1!B0Cdpm75%rR4C>xh!pj<|BMvh;Hc3r6WC8?tYHKP!HTDcic; zslWQ6<7jh_(!-!-rJ#}v8D=#|N>fN?KtmHxVMP+!WA7D{QGpN0i0M;L`E?RP&ZSSG zOkM6S@g6ZSZqoIV`QF^@^OC6~e-^iNX{KI|g@uJlz7Ch?0(IMNnYo8b=o6hFOlDWz>0xezuN~OT%c57F{njKcDBsR6639g1ZZi%f()`A0KX*L%e#x z{~KKWV}}voDmO{IoZ7ct-*#Ou1;ZN_$57)e1g0In`x0K>O~MFHvkvwC;APzGIn-7o zU5ocN`HMCo&1@JS&*@TX(@fseI*pLVutVzZt#fm^vTy2`j}5e8XK`GVN5ZzJqzGP! zdg6suk51hk?^;{uIfrXPLO@G+c+N4jJ2h>gaZ`LH;4%^}wbo_5A`cnu+|}vY^oLBT znt#y-l;e+Pznx^04&G`#%#j?CcX{IDrR##aD`nAuLHj$7Oov%Bc8$R*&k8tpRe`L1!96 zb&@aMJ1CSnpJaS&Ze^mVXz5pYwOVpV)QG^l#BA*#MAtOUdh{7PcVo0+fE1je~6#fNjh6jMQqc_~wCy3!=N{*&g9)P;8lUITeffaM1IV38ZV`!3q%dlnSb*JR&m@;wPZ6hM>hV9 zoI2fR9(9R!L_s+mMdt6eOaOr=It7gnEF$d|PE~SP+(Qb#B<+`2QQ|ff?K|n)njxSE zwH#MNA^kpK;Yq9uEwk3r(Mb%aN=p6xFeD^oM4-fDh}=_x{xg_M26G9_S$AVZ3?)GKdfAmR6oFt=leJlO37pydr|vhMcTSwO9j>{* zR@`f|xi4m|72h^7iK{)*KJV-~Z#mp9z20b1`O_9bg+^VksEqup>KJNaD8RaH{kD4R zoK7E}Wn3EEI9BxxS<+%3GD-r7cTay5ji(`PLzPzOwqUbGiAEO~SNF4uhk;$7$0l>K z#Ta_M1wp-^Xi7*(jhpB8Y|>;I60ae`U$f(khK_X7k)T+ZhesJ3dpg z9ChL%)o(A-@=TMyVp_Cb0?jL;TY`XI0q!W@e(|nbnNN!NQ_I%{@@%2rn?h6!D6-OB z5JL&UV1oJuc}c0$<~4v~)lM|&jC98nq9dO#@yAidDGVsGv!=xV)+3S^0gD)d?yDa3 z;jnS}_1s*|deYZ^uKVcaHL;iL;^dDHD84I6{6|?TdlfB%No~RkWscv=m6k*j*R4r; z{lGh%O4`m{?#^T(?z?@`Dut`lD(yQc^UrtJ6Ls2Zu#`7Pg@K07ei+TO%0S3MWvYmN zX>IlVr%-K!j9*?lawBBNlospG7RQA?-r9P4)m8FAOGQwbAi^$*J{OM464UX6fT`y3 zzS<_L0hr3KOY6AAA6Vg4vPbCyYwz@m^3`~BWtdrh@#PnkwMRz@j`k|gH(f7(>*?MA zF#l2$1B}a2Q7)bHYcdNmTHv+(`ZaZ*o-+S)#cr7U&pj#_KUEP*@$2A<&bUObVd7<{ zkFWGoetaxi>x&Zo*~+{aGq1aWIA6pynIrGfiYQpc&h=XtXV6ojnPo)Fs)3#yh6x9A zIx>KkhM;;*$@@J5hl~67D>~>rm4w2!pJR)(g~gg zMAeML*jx9>8b8F7ywU~meY9e`(JZ8306q-XlD&#fq(w)|ABg4)BV@Rp>Fj{B#p-en&=&1pVW5M5sQF~<`}6qvk;c31dh2|7XbMEY+J z0Pc~Ey%W4&%UP|noBN^L9-sDCG(&RwJNYkM81aN zlzKxyTBX8?!WCgI>C@)$u-a+ShhdM097<}7EL)CgKK(uv zMs)FMmpjf{Vb~EeR>^psee6FI>zKFLj+KE5T<6U{_I_OiZ zlt2aH++kNmP>Z+;-P@aHrf_BBJ=33tH|pD#Y#3ogS2~ZXtF4g9bkbvW>f~zA?S(bm ztB|XM0@$4^<1)EZ`*HY~`O@@&><>v55;m466lpbjlEuZu5-RWw*R7Ip^{qN`nL^h8 z9tNw`=$q$C2v7^KE^ZO|^xc8gnJT-?tPQ9e$>O~;(Tl*Gvpt~G!W9Ko@LRqJe91r75TAtrK1u2p+M;Qw|b@K5l&)H%?s`1 zJA3N-Br=wfr;ONDIA&>yg~-gaeoKsxFPs!nQDz=}l@N{ra-m#;Gk z*grmsm9ke!-BU|8~4;mTA~ z)NgjR3@Ux$??=f`zudRHu5wX7SjTC}ZTAjBin+OT%T|_R#B~U+v6SR=<15rCs0FO7 z_p&BlW4Gte+kO8i zjRd$n)W@Cezl9KPcsqp78f0_VuGtt>HB)T2lC$l65Xo%ZSywiAt02x}CPba1h%{Jl zIsRSO9uLMX?UV#Nm^10?Tk4M|F1ZLeVDq%9d>N{1@w1=H}&X92rW{0p@8M@Ck z;SL-mxaVX&zn~!fbdw6{iTq4Yvd7$qVH9pFXprLGzWp?Q&1#}0%E=rM$SwQHZh1#9 z=WxtTv;!viV&t)OIc$!@vtRqjNb`7$?s`?3xh+mR=Ii-W^SxH$Wl0SbP?l}vR8#2C zH7PK&k<%u1%GPF6gjvf;y!!F-=LYX={_L@F(pb)_cn;mF_!?=uv_oh-$sc9fEIE|A z_=%yrpcjwM2{j9~^J#m7^ZNS>H43BRGbzQaf81@N8oPy*e>~k|%@svO8oq3pk;ezm zFXeYUhrU8yf{IKjJEy~*ws~0S(4iT;1_G%*H=Lvb6#hZa&jL3Lmo@JGEub`$D~&ZT znrSGLW9s5hyzw;0Ia6sI{B-KH0qv<_9NkjG^X3XmEp?AbdE4E#YSFG(7n_P$J)n?Q z38D-cMj9eM75}1#=V0g>K9x)7W_QWDBhm~hi_;;z6Qs>YyA{u_3C#}+d_eeOWx@-QkY_qRfe2e4yqu_=e7v*R$;#8dWW)AXw<17=9`I%rNjTAQ)-jm(kK#8-Q{1M* zWwo1yD9#!OF#-lCauqFMsqK5rtesFWaKlA#xmNj>s$;VkYuKNH%mvPjUJBUzVWE?1 zG}ka+BF+L0OShbAkzvMa{@XY`}hKNRC?F}DmyqpB@?c?d56Uibz=3)aiM4}Nl8rZxRCd22hPVbRJNx%6C*g$Dk@F1?(a&Ywp0 zRwL!6sy#mw{^!L$Qsd>6uP8%vCD(Lw_gX5hq@op$95yTDJosvV%wjXv1FImm5w zNJOMzzKO94B?xVi| zK^vtV{|1Fl*Lc^_k^#N>h&}}_JO)VQdi_jMB z1&K=f>(`3bH*h5;@@E)G`T%W|zf*JHy4^QRNLvE~%Qk_TjNb#u3}6I7qLrCI54CM& zW?{i|ISJFe!YP0VYzy)HrjU4_>tndHw5BpIbbOCo^-$=GU=79n$PY4Sv8 zUd#Nt$s(svKUwWI><IZIzt6FUFns6bJ#vL0h6NlO!+ypkCe zCL-ZqfT$6r;x=NhLZRt;J&gJ8iXlXoXB{p=Q44}NR9AI9Mkbjg+1>CgCeSGBx-b2J zoHx^{)`((nviAr5xi*_xZ}P#hi(H&b=njE+up@McPSO<0FWi#1KPliXP|(s;O`qCT|irEOmss$)CEx# zA$X>v&&=9xbZZJ%Kh2%%YkPa*IX!!jK_)vc6u8c{UoR>!tzxiJE(i&sIhbu*Cplfo0C`4Pio!DgQW@3U2723D=BF`PD+6&*4R08fRmjhs z=*j_z#V$J&ahNl3Bx(g)Rna5YBKd&&)*9*BZX05&hte+#{3W;5>V5H_#fdz>kL-;( z)t6qy6&N(OGBQ=-5V~`nRSzo7@-8uP@jen)m+tgXY)G#Xt`>X8-EnW0Gd6aqQx~95 z;cs)jxFLcyvW~gq?(W*yJ7!ijOfgv=xg>b{K#1@Ye>ClpkrHZd#r?XizeX#x2E%0h zKtJl7;91RVWOg+=bz^mPyU|mOIizZyknZc&=yv%#?zykbUm7&t;27!!B=qaIZ_~IZ zeS%<;DROBUMg@Hi=eix17Tm&RNs=pHk_-0@uVopGLG8@RnUC@$h)pdo zDQl#z3T-IBXV4a9S*+4M3t+UipBw^fRRj=-^H;)IZO716{H%moP--XRU0OFbYx0O} zsMvgj(vjlnIvts*au$gZPtaF*gj4^7multCLCS;?j4k4;G(OgTR_~85oySl?bo42T z0VZ$GCmM}|z|#_Lq`U+M#3wZs)A;YIoI{F}1}c2}HR#cZ>JwEoV9?Z8mB#<*ng~%*<>4Ie+BB zD5)+bg13j}^ks9S#v5H4mN{cP)H2S^*+bobIH}-BVoF77*YE*F%4>_XW@22m z3er@OI4}j}{L|e%ym}7@8jcYws$eO}%J-?%ZckrBQIv?iVd1S0uKQRN&YrP?v6zT9 zBwLtus@ix6Qf2HsY~~Vl`5~mAYYUURhGz0Tj)$g`@88{(|Kp8jBWY^!{m)ni3o|nY z81}ec`OglR)0LmG{;Ka%eH(uJB|DloA8~_nUK@$KmVkJw6i)5qaaqN8%P8NiAa%i%~*kK2P(Liz;0LuB2SX zeZfU9?aWWZavbuyD3@M;(se)6Y$F4MHB4{b0tAcn(hTyRgo3VU`V;@NM?F6<^g<{i zaV}1-62J|fo+I+wQ%UoC||kq3uh`WI}LQF zRS!;*j@~hLe(j{<<;6ttWZUn+QS--V>d+k1j4sGAO8%;pb{cbmvS2C)9Ui2IW%m=B zADc(sqzZg?Ea8Yqfuc#2`#jq>kG}ijk?!+tfJsLnpviC-y;JmY{)gp5R?(_W7wB_H zUlka8&h`9&%>cNS^7*Oc4Eq6PO6&VVC~*ncEA*h=WDXu`=lq`E0@}GfK4kJKD84TZ zb~E(;HVxocA8j)V=9Coej*Vp!r;FfC5N!Q-NtJJ%utR9~qYrCWr$Q+@^%(U(_H}5i8+G1jILGun>uUJ-Uzhs8io%Uajv>d&1Pl3@lZe*xb z3xoq9KY%D9c#(ic5z4{f#TS*@`6km7^_|uQjKkUK%ON6IggbXS>gef(A6UOhnN2L% z+N2LJTR4C!p%-m~x|FT8l2Ro~tMm;|EC1os&@sIEW;t~Y`DOdP#Kz^}D`(HrXFCD9 z>r2Hjp_&YVcR3cmnVzBx<^gq<^`8VdlR(tfb3KEhg$771AnM>M@8}w|SDXDOwno6X{ZaI2BK~rQQqA-eA3Y#W-5J zVIW9a#n!gxtA@eVwOzrYUM6ogb)tR_{1h9kNat%)FsEJKv@W=;OIrc7hPp`74@pC^mOG{2jE z<0FOnHoiE%?bVyB1X51ez-ncVp<=W5;Zg1Fj!sUy74!<$)1}xhh+DPZK4_}x!%0vI zBiq+?%%W@+;mm4&U8S~c8>V&oWcu-^*%9hA&fGeeR`BXBVC`nLB0c-Vt=U1>j+6I( z0O&imyPaS3_Xg4Q&XZPguU;7g=8h-xG+m^29Tj-!8vU=KAj1)q)RZR`FE@$hbS@Wb zMNJrbR_?3Q3>(d!DC*7%3DZwIAQ)F%r=?r6dhAfV%=#(jV}d0{ zaYKY`SU1Ip{b(*p({L1=_uUkvHz8*(M=v!Ykggp_R*m_yP|Ly`4HXupmdtEZ<;Y(& z@woHudv_K&;@>T9+`_t{U8HmWZBm$+AUt1oi%rhX95lU_p1;0$jIgkcg+)S2iqZf) zGlSr-@&h zo{cx9v>sD?>$v%-sHshV%}0?}tLAf_NzciVU{YYECjoncv<>b13U43xe{^Z(MrK=( zy{VfDZJUW`GkHe}04XcVGS`j`R)fHlv7h&RRJ93%|A{?G&58y}CKuTBD(6*{mDR%R zMuFT}Y&aI#T6mF~%|rtw@<;+Uxqd!J@I>3T>Ic4B-si!Kk#z9@xhnT^6WF(E4;hIx zbygX8qto#hyyyUR1-GO<<$_M=+&X8)9qIG20bc+54LS_bshazLG_#SskTtH>61t{y zog7B)G|KBUUa68BD9Yk-=(Ecj>JK~gTR@UVlaBMGL;&oCR*F3Dd)@B6Ez!N*pMin2 zO+kEh7sDhe%4R+edf^k7fZNOcl~NpRp=VIul%4A1!>60OJ>gt$Gsa0(NhJzoy|Axc z(X5fTHWdFZMbsB}W{>jUt^ADhCNEmB!2M4@HBTv$=9z zYJWcVlx9s?1A+B4Kkv}|K*=2G2NA68?XyjqJo(lqly)aPdGh4DjcYNhlJ%-0w^^_5 zovmtxR^oR)z1m$>@1~yHcvJD8xhgTr{Qs=cZ2v*3f9$7TNs}@AZYnvDw3E^S(bOMM(>Ad$WWQp zUQCv7ZZ!(_-rwr&iBfRE0JuGLAaUvx>DLExqPb_m8pPji z|1ZnV%_7gwJmWm5m;Ko!z5AY4jQRhuK=41lmJSyv=^f2!ejTCN5UAJO>1WNZFqvLv9R z%s%dbCP!(;sJVfOChoCKZg!iE)@)ZRA|rUq=y;w!^B|wv1W%?GT~!GOd;pO9VM5X> zV@ky9uEP|P5&k$U>5SR-g4!JJkG+(!S+s>qnM-|9kExc{j3@-1ehWnR9De0aOzJy^>5nK0yJ$ci2p@c;7Z;9C7XbD5=)+pb6Y!z_!szPogeOP<|vCz{;B z7|jCm7J8}`AlgwmuAu&YLTH8;WQSreQ75%-Y$1el-*)(&pM_Z@-BP#){JQPosyD3^*t-4jNIp*j)+xmB-%Df+wNk3vN69~EK>{S(SR9e`Et3&1A-#E1>)pY zVWOhRLJTm@$i>ehLV05u#Hdc7P$5wpPGq|FKRlTx-$cG+P6Czbb+8EJHNI?d7Qqty zio@iA1#KG0d`hA<0nTcWJOlodM`3J`<9a?Z;MAO17~I!$%<<8{cPNZ^?ZYxj3-Q0J zfdR}F9~xXV z0BSFATR?wv3&FUr>16YYIIF!eCj{!jr{COFx_Ir{FzUS=i>3p*ByraLm+Y4T=S1~W zd@n9O_Bqu~9CI|Sy7qhb=+N&bMu5}TF8pj(IHJe6YCcM`bmHQgU&WFeW5rAr)>>vLX>ZZZ+yC?+0rw){ zrp7l*J+>ENR@YCucS&Y2S1-7iDaeg(WIx<0J{%2;GPCL*yJ@;B2Uiv0$E~z(mNDjy zdrU4v!98L*J%|t-U9=+9nFgR!g$^%3u4$}|P1`@~RcxZw>6vWuG@OfKCbVuC{CS#OzUw?0z zyx;1!>&OdW>!k+`K!d`O<*|NSX#_GS&~hL|-|Bc30K9*}!nIwt9vu6)i$LwE{vVK6 z!gp#WfdHYf=-9%-BIgmHQZHUqi0^|iXB?qy0aJr?A9g<*jo|`qyEOy0O`x+u12Z?E z=kUlUPzl0oR8+bU3qvtNJL+YGu{)z*abE^=Apk6(R!K}$-vUb=yu1B>--p;jX99_o zAkc--IvYr`Ea>I=dO62s;QIxLO^D;u3u?9hCc_r>|K`mi8MDDsbF2VrCk!bx&y>CQ z6qT$xC>n1RDy%sP_K&OHHV4by6~61cWQUANZSqppUFs!KO<$^nksYNUQPUg?tg3g{wxh!c`?F$3bj z>Q&?dG;k}5aWAo0o6-7?vQ@nr7o#80oY;-b`iuzQH+bXH9R-$>DPR)40GS3`X23^) z;La+zKr46mgczT+@9H8Vku(!Olf?P#*5j@5+5tPl@1vMCuo`;G9HwoJCuO|I;~E8> zBmu_z_y7jmF|E^$L*V&_dU{y2BPbYQv4hOzsP3rcpwjfEwd&>LwL|P35y?1^aa~8! zA5eL3m6?8PaaX^E_*Gc0Rerjwla`(iEh6p3i)LJGtSaCcyK@IO4`Ng?UfOYsyomR& zKb4fA9}&p`KNiPtbe)yQ77NMs^mILRw2X}KVyps4Wm8v976!pWI!0b8S#oM;+nYfz zsSc6E8?8AxyrGa{$_DejKcc?}%8Cw%SokDJ#g6%tQ6T%5a-Q!&*ixB?^*~2VLof3H zOAevCB_Le}F%+Qn%CfDxCDt^qljd;-Tpd2a%Aiaf0h|YM^t4WRNxlT}{S>_5j~_hv z%tqFyD|*q3S2?_nFk3TvDg?v*D`clME zlvnX|oH4HUZ`Ui`IRX8FW5@NJD@M7MTOTru>yw9`y%Tua-quzhPf_gC@hDOqBvWjME4_6z-kObNVDon#pf0GD1`{z>z5pZw;+JJcZ zHj+5w!?QwH?um;Ku)~U z%$XAuTCHyv82<0>d+QEN8fJUx>Fd8dN@ljGT;vtR30~r@=X`z`8MU^fSISuJd{~c; z@KJraEir-1ER(nh=jQVS6vll3%%woE1DzgTRt6IsYPmO0EQzm!xXw=E}C3Pj%$IR z;j|lBeLj-GU1$K^F$<)hfLUb+aVlk>LNdAaLEvDJY4vcX*#>&cJ(W>0{1e z2LE-24YtCZ&qkyN5W%9ct=81sY;p!cf7$i` zR2qBM!FP#fl&lzH?DLGUOb@QOtfa*mX8pbb>N}#`s;WZ}L;#bc`e{3W2evHz1puBH00Ni5o%TvG@Y_%M$G)d3-}8jF7U;cBtUaILM?KAkI_|77C>ov!77i z`(gl78b{NBVNHmeNm__GTZyjmNFieH6?E1J) z96kYuVI7^%Ei%J)P$-Rp?shN)zK#Kr!shQF8Acq+){C#-bIsb9PC0=VbvB_ily5ea z+Z%rB&LVis1#%B(qSgHT{V79XrO?qvq#_gKH6hG6$U&?{f^~NQtlxt^U~Qy?v_`oi1;OM;wFz{O7t-KF8t%G|%q}S4I=jxq*KcKhBS_ zwX&3P`4>iJ%Kzg_L-Abx_95M;f2Sb_6B=8 zjPyx}Zw%)83ivP3s*tyebOp#;7kVYR9KchgX+>%g1TZdgFvI;q{(sPq4?yb!537ME zVnNAGf?Et>3#ASdCjbU!`LqFr;{j!8t$g}zf3~(6iC(GgKESd4gY9sPIZuz*e1JmT zg(n*EtO36HrP81&at^-gOwExRPf=R6?I+QTiJaxz$S;L{-jO#mWebUgg z!z;tp(Ha^N(VFW6Qo2QjVcp-87Tt+226Qb+Pm~Ac$ao<8DlH9i8sy2C`gou#u2#RU zSDFJk8vm_gd!`hh1s2nLBQ9>qyKUDElx^LZtY7XVy=uF?oI zPasOW&?{V}qGOJD>Dq9Ei$BOC>b&@|seXK)sCVyPRrGf!Net#2<#UxHWWvY@=yq^C znS`nkj??f>Gt97^SkSjzSGI*o0q7P%BT7b`Aaut(7*%t5CQF*M9@xLS``` zI_^wuf8n_`$E#ulrzn-S0)~l-s}w%5MbHTsFe)h(JNh{H=A7#VAHqH#K1DT&$T{+9JvgSO4f_K}5qWUMn?pd9y<%go+NXO4N501HbL0cKHaZ?Or7(kb^Y4bjQsG+d|ui}L3sNFXc(3yQZH(CJ^N&RfAETum3 zGUdd}nUH<}Z8y!RMs^a>K+^&9%XM54@G3RhV=%cHf7_-LyuM}j;|DOq zW_BXC!SO0YB24Y`MsQLl;TQ&WTKt6_4j#|56}s0OS zAf;H~d@_6Ztg z##Z!^V`uf!P;6C%fdil6$|xCIa_zCzW*K3s^pWs-xLue?^1%Od-cP!zwj&q!2L?n( z1yH~hMwPB8HE16;OdR&E_4DCn_ZVM?yWwg2FZYgdwmWK!u{Fy_%yl5oOnXJT)R5;D zC`K-hTJcS8DL~%bzgzUL6>4*M8TdM;?2qxv?xB|bxKCGiV=3+^bfRn09{XsoT;`Mb zgOOd_tp4)!yZ;@0c%4hURs;=u5N!y&MGz|~Zv(k=Kq{qnqYG_^F>runpg#s`5l=PC zX%oyipr8QOUp<#<@9vnoqoX6-8W`(dyx5167`Vb7V&fDBQc~}w+_D3ot9ieIAw4xL zG!#}Z>VaM|%&VGSY|#ub)jAUd zZs**n56@L?LG4h_PQur+x3Ve+U=UGe=jxTQWy31h5@v`m*tj~Dcg#M%@lN1m5kRd* zg@SM0RD@;D3w`juzF-NR|Dx``(auIlz5qn-MMDZfA_%^pC84IIR5mE3^3Gy=aY({(8F(1d+Ck%=3M|Y~iJhKl&?xX17)LIhQoi;4~b>)G+{u?5T z59Ot>mixgi<#NCk32#azRu?^ijR2s0DobMga@s_Dr}GdBu~bPtgrSZ;w zVWpd?X;^|`iS?t?B4e^BaR3UJ5$^?rR%1Ni!mN9mnzC7>$FKiB$*M?E0l$^95Db6L zlXbYlBwCJc2*n6jX8Jz{1G&i@a^XVZM%ED3leu6!RrP+3>go{l`9S- z#S73S_&_nsFaQ1ejknR&=WuXAYl2j+x6l@>0Rs+t8>rWfFwKOnNP^ackc`0{&g{eN z`&%+DXgPU#>J5=}MA+v}YIC15<2rQJx1o6DYrPY8E9Ut!ULma^d$Y$X7uu#X= zO#%uFgAU}=&F3JR18D;RYY$ym2f+zM&F7v_K%~tkf^_u7efaQt!indS%P3bV zB3GS_*SXX6?W7RAx@>2j-xMxHPIDxOh27#2^S}4lQ|Yb)@~gikm< z|3>&86y8q92irhm$MW=uir7H;-=TKwZcHW$?uE;}QCE(gzfvg0tisGL77D};ADw1UwVNY#xOWCl8AnA`!5WjLmrpG zE(vP3dO!x_x?gu!x&ry z_$^?OAWoM>?B3A6BWh*DW#NOg_()!gcLc1LK7r<*YqMgdbQF$VSUvW!9XLyo2N>qg zsm9=hQ)W*eI!4jbKp+2)vq{hu4OIKIQjFqCB#I@<-mU2Dd}D5L{jRS+nUK))VDZFN z#}Ds+oL_M4bN*4r+7mkG#Hd?VdA@L(yQ+N{>w=Dhb6=dcIXt50!4Vr(N5Jg z2V{BUtf9}b3r8uu`@t{1r}OTEqzhV@@)zTTmXYD6gu}LQvq9JKPTB~Ba)6gN`jDU; zwqrRVpNgDG5^?@J+Z>VSSbgHHzs~Mufw}|RaJ_@0JC)%{UcjFr zOV~acEm$b&n(BKLVK{ay%<6N~)wY+gS_atShv)(-k3T7EbJ(hy=Qf&z4#QEH00F@- zybF}dxxAr$_a?0EMZ2p;%k!GE@9*_xVemPBw?uzhJJ~te65UuD(K_c^9>HJiv!d~< zBzSvpHNSd0vp?tW`;MS0HCn@cq0?yz*8J0}rVhj+SGm;DN@;zFRS}fc?I6fH5M3^6 zzs*7cVZi_==Ia*CVo#6xM~XU>?XIC5hag780}v26l_myTf8i~zh7KDfIPnVF%dt!= zS5YzdIXyF!z`+LVZy`!(^Ye9X6h$S2nByb}P(t?e^(!_(9LF|g+9jUK>uWb;6n_j7 z{q?XBO|%k66rl1_FZU=EaTuSKFxE{>FbDsJX|0iK=Gi_XbDLI&tYBt3rb3-+(D;JX z5a7>vK2A8AWNgnNA7(X}gDBMidVOf1%IojO(}|H@yKpX7OHV^X@a3Lk9-4*d_kK%x zJC)XN=g{1No1rVI%%|LYd#dyFGOzViY*jw<-cblu&ieG}70N0BHXNAQy%S|Ek@F}4 zRnW{U@C|T!3MuNfQ*pe3)8(^12?5k31@gOtUX7yoF#SRmd8Bi^1O@xY0v> zMHRAapq7~|L4aVoIvVG_auD^^8|vuEqE^@~QrD!9AiOQ$* zvyW*t(G*-kF`QC<_hLDTMd>^2Mej`vlsc*qr16;(^H2_c-1FHEo>P>OIaWb^;bm1O zzJ~Ik+fz}=;0>)9)^X3)`26GKvb&^z-&@R=uVYr{4^|!IZ2CkUE_q1$%eGTBG`+(# zX$k~l0%8Mrc6suo;=PaS#o24_x-XPqLC7t8gt@rot;O(xflVz6Q9v*rNil-g^}ZmPLVpV z;ALRIs6ASW!Jl+L0Xvd*o_>AzvqxP@X_`CNqvPW*`Nw?#x20(=e6P);qx6bq07mUS z{q^#%%FZJPFQ^5^op38IQ&QGjE9q_~-fgGyn-}}SD`+|M>{fRL9M6f7kq_CNM1JnI zg8x1d=CwE@Pl1&K{}P4!ws8hkM*I5?_twU&_zQ)7G5EtjKp+}<+&?hz?2-7pAxt95 zNY!_GADSrk!me+CxMjCT4Gj$el*2w<<-7oc^iP%q1tHr&VI1&*4W-s%W)}Oip+UHn z&pQl_1C`#%pR2|zBPHKP-emLMdE6!Q{T1<1wlOsls*zKR!S8w}17jS{i^4oRYO$4u zN!4p82m*FwfXYWALeeAjv7<|Z_QG0Y_K9v8P6j0W z7V0A!@S1oZJN1rI~sX(*D}NCe~--;5tk;qX~MR%s$a(^!%3b#|G|x`D?F$V z?cps2Hm5he=zouoHlVc6GhQ&N)Yb)qXM<_Z+v&BneCE#-=(GPjeJQ-5wZri#@UlgT zNc)(nC#UlE(#YBPP8=slzwZVz+7R-MNm2@U0>C1gOm}W?qIV1M34k_bu7pY;nn;d%X#DdGNOp|*tUiQ z`16ji3k23hYYkVqIe-!Zf=bWt!Anrcm(Ck`Kh5fuNeD4M2S})NK>>6)>kPU*Am)d* z?-+mLr3`D%Q2Xe;x6ZmFd&=|@W!{FUh))?xjg-0o9V8=xD2QxM6ngSa-M|@mlR2o` zAiSt>3+DL-I$A|(NE49=@$ama3>V3q0RKE}`duu%DI@dID}4@PCj@9njc1?}0ds=e zY$si~LgNQkllP(yzW@n#I^3~ipgW;rdVsEm{;AVe0cC(Xgg4E(8RY9-qY??cZ6PtlLbLmzJIo^d3o zfXWU4`x^!{XDRd%N*aKw6<&BB`8d}il#ePK!BC+VKvsPNTRQKZmiA{?pBR2SL~^?-R+HhiUBjSqLdbgWnV3ugjquK3vz_Xwc?(|Wf^+9#3kqzgqovZDaTB-%{jV^z z9K;wA_`|x(jqA^FxP23h3t zeCvuQ5aY7-tJrj<2y4Ed7KIJ%qnU&als2SHXU!%9a0%PH;_3di6e+xI<^7p8KgtWt zK2T{T=kfN&hS00Ydb>}0?k6ve+EqXO>KV%!f&x;c{QX-&m&KouU%#&1SVfk~fFHsF zB$hNjH9)dsHyVcCVZOxqPW+s2kNT1jUQ$MH={9Mg@^T>r9{vJm=6$byqhZ33fyakp zZwq5Nm4*;I%mX3O3E_9vZ1Qq1&xoG2Y>sMiMb<@IbfjP8dwhYGwk7=|DMucW5bPhS z*jGK15w34AXOnQ-;#Xwj8Hb2yUeO;sEastU#+vX^^lCHD8hYw@ZLiUkG12W6XV5kU z7u6n0O*cyT<{MEa9uD-xmhiTyqa|TAI^4anYBEvLGC1=`aEE~3l=eEZ`UO&5M6Nt) z+D=uWkHl!{S3En5<$pN>Q0M++JswxeE4v708Q{-H3RY`s58A0-SwPe&vL8q^AFsv> z(CdTtDClugd`cf6ekvHaA*1dbHkY3V7jiE^u`*Hqo)-GF>pBIKAbHsX#IHbNs0tL3 zQ!D^i4=UC48pGlt9mXOZd<6HN-8rr*9_r0l~3hp(R7Ssi=ZH?}d z;Pz}Ee(Zh^i^Gc2`@hFNLeiDgM+Xs%_ie*dAl7g_1*)GS@z;59Yeo7MHqq){+RTrM zxxg#m9X9ipv-DdBVE#p*6h{x;FmFTV6ZGAbVNhOyHvZL?kg#y9nr&q8>S!6c?jkS? zEmWgO$QIvBx3aFE{xhTi-i{2ce-#iA0IR2zPeDdBPb#eRM>Sb8G$;HTN>WNHlKWSs zO9%9mp?nARst{;lLg|Vhx&q$#4Av{$+LO;Z z0nSuA>ub8Oe{BdT6Wf-^J7yev0_S-yUq$uQL5IWf!H#6TDwO?|D(t6)tz}L<1#A|* zQy`Elp!q!Z%j>_%AoSm4aFW|nIU3F*k$%l2%^#Z3hWz8{?KTJdwK3~IZv*LgP?J)y z`6lN6A0bICJv}|>0W|GfZq{WXVz-Yn%sR_Ak@2yZUCoH6!Pf8xCuY1%aWn`C`n{@l9OSf(du)1rlDA(5wTRlJy+s(y8E?$QWu z#mC3F3V~FtsVt$bCP%;WpDm9 z`uxj%WS4Xs6&H(O7%&|A-<_OIfSot3y2js=r7n%*H0q~m7G|4){Sr_Z^KEz)ppLVi zo=g4qO=+tIPc1N|ce9F*<>pOi;11?ZVD?$}bi53>(OnkYxQ5GhqL|#}(XxnzIS|Z% z(o9p$ z%Ys*TX<51|E2QUw$rt-zv4UcV`M>?3;kNdAz?iblr!v^d{H3no^@?=rgJrQLQkhmz zl@HsWVKB5MiM2IgI-(GJU@SjyKG*hCqHn&ura`&IoSCz=e} z_m03APW)aN6it&SGc>qkFNYJ%IRh_%Oh$h5wC2Rx-Y?akZA(*)#xknfUOd^;?!SnY z#}2=5D(z^Gg77+sj%MlqJ)2PPYi(uKqh{;$_zov6B+ab9pu54(Vfr%p5*3x-uk!QO z*B zl540#$r$26M&DiQcyeRw)laHWK2#=Tf)<|J98OogqS9c<@<>idgydZ;JALjCuPlgF zqHp=+ljFyz53x_tp*YLzH%yP$Iw3Uwv!DdokOu_el3mn9q1D-an@f#Dy)Aq>E@!WQ zug0}?0_4W_xtRLiEl3BbJ7~IYyqz2yiv!j9Vwg5sZfSKe%U<;Q;*d@MHYx)dwFW=_ zZ`9&+&`)r_v-aPOy#eb`pTjZ+I4*fvjdeey65>Bk*U3QNK~5e4i6^C%&3RW*O{Rj0 zyr(y)%2kz%c-+>j#dy{S@u!^&o<4^sR?4q1hEt{Np@V35^^fwb=(2~p3poG9;9 zItS|u=J%GnS`zibqt|X;U+S#-u-B(+PJF*k3Hpy2)|hoE6N&Zv~b7*0|8&v`Pc6+4;BBgYjh-k&emIyH9% zyBM9&o_3Q)giWZ3PxxM`-0Opd8i$jP`%41u)9eIX*^u=-+v;xV>nTSLULQUKT0DAr zJh7|pc%7zqi5AuU1M>bTm~b;IG`u(F8zA^ao&XEF&XAbUjC%Q-b*yn&ovvf1@#4w( zuU)$ZPZG#5R3XDwOUok1fXh7e5BzZd&5Cyk$Qa_Iqd)gs!-W*=`d2u`->ExCV*=D{ z^M8HxI`%#cU1?8<_-S;4Ubmm49=*zg z*hXUi#!+}uAcwm{3;kux_Tl2{V4ls?H*rnzY+e)2-v`mJ@=xCRY=y1&&+3&LXrb$L zp`1DjRSv6KhH z4RU%U-s9u$E~Zz=XdVj7E(Zch*SiUj7YE0dOk};~Gl767&gj{r@Q4T*w^fF>coMwp z)AQ6_#s#t|VzA0bQtF27f$VjUTu6}SxH1pvxOFlQ zkGe3HeK7@_=aB;J{c`4TUut)E)$x8geD3StjUYT8I?9=y>K>ZpfJZP5#Kpv{cL!^u z>)aN6p5Qj3y&jUcx`OcpOc6~Bx4%9#{RBYeUuKdf9EfC>`#4_#+vxmb`az$mt)*pp zKC9oFx8e1X0e<|KUMuxb`5Y=N%jsLOcOO1f!qw-(%b)>dk83@_)j&7ODZ6l0b^7T4 z|MBu=c1}0Rzejk}3i>7q#&E)D${qXqRvK8J4R!tYaBGQ9&J`rQ2+`{~Z|^u!>lGgY zrgoe=KkK!ENmTCLGr>K7FpTw)k)=Go6hY`qdUR!pj&I*83y>g&XJCVR?hmWZa;T&l zafaS_Y~g9^s;d`33i5*tRaSA(miXBTNbvE6mjrJ(&RT`;%##*UWGl+yn++XizL(;) zY*`#FbC`4JpXLR@hcCpGD>qJ=Rn5QSYgjc#%UeN18}MYF)GO6;sO9(doBnp0_+pI3 z9xpr3AqeFq#qsoi=T1gfdv);F%i{F|FT9Jb_m8zt+m7bn?xy(|=`I-y7GeSlcpa1d z%sxtcc|3jk)thXT28vh3J4^tJIN3E+C&dieH?mjCT#$(I+nU&qg$Sg;nY<=vL+x5( zu{QS7k9!nMCH9w2pLjVB?#2#CYaIVHH8m&hrF~YBh_xmRkWJD2S`9@X2J_JlO=9GN zpdO();C851{V1;_*|qtoqTBb-{$`Mo=knqH+UnXb+S+GnOYKyFvh~;Ng#;u#cWgzH z5)vfL+hYKk`i%SFqp=d48A!CIiT#nGrlz7|&gY~QN%Zw$){DQhf+nvYa*x+|y1_Q+ z$EzbHVc1H1OJDRnuGBQY#ncTD=`FdqQCf7y*V}6p&;-8J% zyr7cF%nW&C`r}*cP`?js0^Qu)glqv5p1lq%83zn;3JuR}vmr!1@S>sBBi%Ff1+=5; z^775_(+#sNUwBKr*t^pCUI=3Rj3pO``KVp_@fjQNQeijCl@CcWKHl(jUk-19BwW~A z3Yq``dTO1dP*vjyB@WH({-fhHSjtvxiT<2?O%)cfB6-qJEn;iG3k(0dWtqJ94j0Q7 zN5fI#r{bLco1N`cG5^h=^V@CtfFmluet|AKSvS627$H3Qk(unZmnd!{9g{JnG+g3c z*MMFjCpXvJjr4^%Y}sjnY3oB}4{n?bFs;hqappIu+ycS7P9db=lUYwS1TK^45782^ z2l2fm^Jw9MDYQAj{?arkKm73OhnmX8Aoj>wo%xgJpK&PDJxspBKfEI`UnG2aTKKz3 znHo0h9Y$!(?`@@hzwa_}>LIeiZ3UPjk3*`75aU!+_ITh815M!N<0bW!s<&W zC&34h)c_s)URXOsO52WC(p;hXxdzn=_&Q~S`qeD%3$J0kaQE;C3JPM9aD6lA3X$V* zIeB2kHuXGVwx_3OBTi13w8r<^l>VNcI{Ws9&;q^7u(8w%r|cOlT!ExY6G{;tWErcbt{+pu0$>KI zDu#wks?kSmmtGmbgz#zu0LdZqog4ljjYOh1va-%?>v+ufq`>aY<;xyoJ|~hQujP8j z#~HIf-g-`8ad>!mk%lH^6w;zWJ#?wsx<3o(+Rr>+A3~n3X3m+`*SQX(r7E9$KQYPR z?~n=4Q@4i4aMmy#4Sdhzb#hS|b#fo>$DSYS7K(wMRfib6dAsz`+}8oea!d%<&3SX? zUiroIJa1Tb{Mf|8L64&Vw1y)jkDAPz$Q50@ywOhe=AyEwOA5P`)G-{4c)+VJ-#v(L-XYH4_nuM z&o#tYI?qamlv9wi%+w9bu(04nwgD0tk3o3y?R9M;J_;0$oW!~;Q6ie(=!9 z8m}6$p~MAb1JWBOgY~r;7==_iSq2>9_Hji#QU3Vd18i^`5j-xw|JS zQeZH6AxcyOza8rhrr*4}?|uk9{$Dk#d%C9Aw%%X@c+{fuq_5WQ6ih8n0KmK0dsrz=@B%MQ^k~7?6By76fEt9&M>0SH)ZduEKr38NTt4hnxY=E z0AD6X(cu018Jp0A2~#Qx3Y<9K6->wR@}^Wi@5bN1aOrfkw6q>P80S$dVD&P;2PBYQ zle84|*F)28u!{k5-o5IL|3i)MUqosTKstc{}?(U0ws>c%h4OBb9U51hrjqY?LU{~`rqUU4;a_w+vp(Hd|9b0Q15WGKgIG?S&&z-T9H}T8 zA{&p~;btE5q^wgZ-|;Ja)4#9x1|E*(z^jfB2Ar#93GHbfeCOlD4D9gzQSYf#rSei% zd45s-s9m)7b8~GC@Kx1V;Av%lRV`L6yz+NKlF=(SjQU>x9_(3~`Sd#x-3+@$;FoP=7E zcwoWn{?CN?sQ9`(ld2&G24TN4pbUk4Z_I~a@V)U2lY}a>kPaZ;`~-i4>Fp&`18GBH zOK1+SZDm3M0!k|9aAU2K$L9ssWqjRwMCii*s8KYEoExQoY<46>f3$VZLdxuMTpv}y zE#SY3&a^2R7$hlthON!eYES)ZD5dm0HK9np8yYy;D?4b#dQH@t#HUH$WrYI98hanC zh#S~qkm

6uEg5EDalRY@XCGTVJRB%KM&!;@e&JzVz=OpY4o4(mt_qq)weqg9mKg z;go)_Pa^rjT-e=)v*HyB+EyrCwn!z~>-y!uHRoz2Bqs9GhQZ<>SPm`$kn-2AC2?~naTPpnQO=iKb>BY>pNf5V#7IvBnEv z;9=R>01gYS?_FbIP$&oxe9YnnU@MrMd4So}y5vKstN?o0Ku-a5+lQrOW9$u|VD;-K zLU$pN7C=6d3MA^sCRurzkJ1e^&^W&8Gc=UB@fGePf#h07$3N(*Ft{SW=7vobSpUwsDoeK+eudbH6jwsp(JPk&Iz zvUJ{k;`fP&wH+!5C40$b4VDJM@>5dsmf~tqZ^XyolU^dSm=pj-5#^%5*-&YnpIMkE zKq$r!Xg|w*$X%)kE6}QU382>)y2%xf!DnUmtAjPuO;3TRv5hz%!$~yrm>cC70#dbB zy4)(iPW&*jQlbZxIStv3Bdg~tlSz?rODdB$v}QQoD_g@e!)al>rIW{p(ED#3fWV=K z$Gz(x9%r0G8oaxJ5T1>Ep$426w+Ltc3G2OlV-bt)>@$KHYMev}RyEuB>5l(9H>;A7 z#Kc7Kul-Z|G+~`qZkZEPjppcuUp6pJ2yfca<0zF0GprKdcrO$9e{}=pI_Vg>V08|% z?r&X&1rD`6~w zRs(YF0OWk|^8LxRn_PK?4BP0F71wtzI#BUg7pXlUfAE_}^_%&$s#2 z1niOt2bUvyB?t2a;B_Eq*aoZKj*aR6B*FIsiB+0rg;j4VNSOY*-LJ$26oAM;8!hnV zS-x0Wy7P3h`NWawWT3ca@*Q0&r|rnKozF}qKLVsxCfEho_GF-dEmMZDFUOX2T?u4vReiM=b!zh9Z#( zub7)`dz2x8_YWulm(HXJ+^k}8Ya6+>=H)Os27kM}?z3a3y0$VYOWvp^u6lk)S7$nW zi;&22x+J3bYpA-f4>BfS=-B$-PKD-(4Z(p5*YT3ivFZZyN?Yg_u+ayI(m4Br|W@0$t{uPiR?_{J0*_gB+lwH@r1R-kN#Eb<+;1;udL3IF;f!-8{=f- z6SPygW-}R>r~$stNJA5-E2koMtsp-G7r&Suj;*bV!wOT<#< zu?o$S(E6nHJZO*F(hGMfqn{g}lAinEwT;W&n0GS0+q{M$UsbK#tC@-|A^ShF88iyc zegIWO6OB=Z-Er5aFZKs*QeU#ydO3)w@3d11)wj2EOG+|q$lSK5|2OUMIj+D*IFj2k zG8+DT?PlH}XK6)cwyVkD$;RO(7DMjivD1Y9UmNCBXlzb=mm^jI&7JMaY_Q%NapV<3 zhPG5k2UNTDJG2Uxv6=s{=?{0SVq<5YhDhmU5$>o{AV-AEi5sj!<=8HqlaiDyg<4}j zF8=jld-8Hq!0lixR^}viBU#GR`oqMJw`t1;EWKS|N-*9A{wz$64dg~xV0QO_ErIJZ z^bS-M2lWHJL0=Wz;ZOCr+0ohg#7zY(NhWs>+o`r(VVZ$`lsSI(8=_z=g8ZSOF*nH!qX=;1Rf5n452eIXZ&l8&{$iZ;7Jib1kEJ8_X~<_gAyBL3={TFtF*C z|H7Pjq%JEYgs7C5L3x0nm9(hfinKJ-PO%5`H#wvw5F}Wt*nOD;lkNqI@Cc+-EAdUFZ;6)>Z3c(`5ItF&eJk*zPTv&e&I(( zy-aq+w=uD?DWr*blINl3DJhk^Z?F-FC7!Q_66hOkBI?w8WuU#QD^SJ+ zD-T*O_jm~K0OIg`CyX>0R<-u1ReUVVf1OfzDz8b%_?Q{@qkc~{-lLgH-!L1jvnp~Y z*0YWFY=^F>bkT;qIXaGk$VD;cKv`UwXf(RiqU!^&up8}Bkeu|BT~k(|g$D)G23Z`@ z6@vVbZ=_+9pHfp(1-zyj&fZiI%Bh8|u|OC$G}m*c;)+}HE1DP)bbkLHJSfkSq4{;P zKEAUIE|=f+^84-&XWtdFk*pwX0(6LCx7{CaMPRMos4&QQO9~27rm!S}ILP+}$o~~2 z+p3J>!(9q9p{IXkOw4*!bFZl}J$hfVsMzmHeODDk3@x5;YxR!q|7btAH@_*b5$P2p4J!at*{ZY8VYH6Au6 zzU`CsAhbJ6N(uEPy0_Mbvlxi1gX@PYBi1SgJ zW(x4N&wxkIR5ZgMdz`D)BdgnBND9vKE(^L$N$(?fs6!xQM5c!%scR75h9G>9iUnVs zN`gpX6-hNljyo2(cbp$qmsXRJBixLS(E6SiHcy1}o0rm_4xb5~3MQ{4Be;Bo zQ}+tkPZM~dB|#s&3vUKUDZ07mI^Rcs_`v=1+GBx$sV)Iu-Sh9Eo&Q975^dQTk87E> zgt<3f0?h!BAgR=aI&WCN8)^k?gs?|!5ETrh%7+1VIjqzwFa}N_`xP!A$pz~KBje-C zp`{G?SwN8lMgB9u;@41>q(?mfBdSb_3a4TMrs$}WzkEo)bzh@c&H)keCY)D)@ zUFR{|@)Ksk06m4HP+|hlI~TYFb||SaYC||WMBl4nDJ3mws?VOukpDY!F4h3EZU#L$ z-q*xAZyiYpX-EA6t!SyK{b>-o{W8O&rKXpjE%xsGu1v{B(K_miAT6_Zt#_ESpo(X!h_wlkFl|7{nikc7<`_t;a_FTof-)Tp=;^cGWraVoc>}f?AJzQ zT%;$fwY!!op(|fhIZF`*>3Nv>QTgiVo70TZ?~1ItX5uCu`y594M%a`%KSW;2$**qJ zv^g}2!UpA{XJu0;oc_X;2SNvmyO2~-M6v}|5EvtVTHQnf!;C8Q-`;<(oUZxR5vSMv zU~2&!kIN!>T2IJh&v3|tW%}L8VbK9wBvB0~7gu^lhS`~HwFD8BuMh8YP&qg_{51Y- ztGE1O0NO0WED#&|wG1VKY`t%8BwoqQoroqDYLbj0SkbSBT z!`<;LmC1tjqHoGQOco#}RgjablijK2&CJVd(dvoS;cej-+st87Xt1#0C`Ejz?bX$i z@fv!1VFyqfTtBCI*15tQa(u}^w}Ij{rv_(x)OOXZ&rpgepNpI>)j=EM1YfYEb^5t6 zWtVLVGyJ>6r~8*|4zh&Lw=FN*{sf|7z9Uz_*38Uo_@)9w(5;cW{W^mJR`SWJ9)fLH z)6C7u8R%xp!o@`}+Mp?Rlh-`f#KdIJVCd#;hjp6xSDsI-h2EI%otveBA0p{L&DVtt z)Xwx}$~P*fUy7^KmNJsP+>Td#&W{;%^ii7MYufcWSd&;9F3`D97f8Vc8#Qs52vmtR zaQzsR>u^(3B8~i-mq-QYFU2w=uaa#d7&hh~F= zIo+W`Nqt~x>A&g7Uos|!llFcD(D^q`10GFe*zU*DG!KmGsa+pE?$g(DWg57iaKn9g zW}u_*pgywRtl}+EswXs|wF{}HwQWCL4|9k>PfMz`Oh{fPT3xf9pb6<4z{oyY+`c-Mcb!UP<3++)hrvcU5 zN#74@`idERv!7zuuJ^V{P)M=ww}$$LDh0^0aslJGyn6O7cPysG(9m%CjMQz^3Hufk z6H~nTuGThaH%w@9GO^+!GYboCBKUYiuj7sR4G4$Ww4RU_z&u|y)XG)BX1!NM2H1oT zt%#6Bp+PNGQc>Q}Kq2wY7Wbk?+ZtJ=>ET-fTb?5}=jLTaP9L2o;zKukJ~l5}MYPOQ zCmEj+wx!gvL>n(zedoosr47U3((ybgSXxuvy$xlmUJkkw9|3Ltk9&(A{ZoHY*n_q@ zVY--|Sk5VP*uYg=ktb^9|+9ceA!Q3z*5}MHz3Sqg5b)rqXzV;zs|kvK}4g6w67qCJ^eD zd3!IWg9Vd$^d;QQ-8}RlaL{Mpc#oNxe6n5f*vBX1``VgL$zyv%jB3Pl$`D9SH68Pd zzCv7~NJ5lK&jQjcAxMe%{o6EGD_i|40|P_(W8g1SN%d87cuhj>npaxRu5gti7LTX* zZLvrBhgD^P`OYlBoDiFs!pYG0NPrr-xI(Y@m3z3{&Af`a^{J6AmG>Xt??GOxf4EaF z?mEu>Rfgz}XU{MnKNj`g)`tpClMpv!e6!j~2#{`z3#b?OrkZw z?BlY%jV0A*;(;!$0ej3o`7L`ha4A4~NPFpjxG%u>v?2hjHCJ>=dW^rjfc zftdn78l>^WN^Mt1i`@q3Kb9RluFwJrOEPkg*U)$K&eBAGkfFXyAq5TfKVL>JuSxkK z;ViGAp3ma8@Ziafb?>WiCK_t@`cDIYU=D7bSvWPEQ~38Ac+XN_L;bcFp&he+IPp~f zZ!yXt2M+%f3Y7bv-g`we;Y&e-<9ntcrib)N5TT#aG}v>=5^`}+-2=GgqQh%5en17c zWTXa2IXF1>4tKL`h=3;4f0M==d7u!Kxg(UObdNI6C zW7QFfp;qef;iAJDncdOe>8jHH@6_VkdKa^#lYmLH2-h{^VaPm=;H@se1&&YwH?d$uYNwlW*;SOA`KDehMeFD~2Hn=FFDmc1Wt zIe1m9&fdjq9n{pN+L-pA6s_HOT%Zv3j(eUJYnBXsIXISPU^^Gsbrcn+e>U^6RGvjp z84xPq<{AFdkf))MFx1}!RqSrurK>3CvWMTxd0O6|c{ zPvlQ9q|YagEsj?d56F6M!(Vx9;h42BOJD69{SD90 z_L%k|A`OiJ>jeJG^uD)WU7#v-hR{7b zJ3G*{!Y1Le98wA;M8}hmaW)XQP&Iv2L^I0&(fKH`l z+5y5w6gk)-8GfyFE5#G^*MCeen1?n=+>~=+F*(lt(uH+2|M9)B1A9JOW;VK)WjlA?H_G|6})8{jtVWA1$rd^t4W4GMW*V}?mGYTQGe)O~D+OPKoiwUQ8XtL`Ai;`)My+IDbjt)qmf8Gic4{6T<1rE zkd#{UD`L(BZYQU9dj3l3{F9B}%`k}BmKKHlf26&4JeU9eKQ76LvI>#CA~QlsQk2lP zNA}1Fk(4b&R+LdhDy59QqatfEl1-~H12e7@&=zQ5n?_WOLl|DE^gygRS! zx}M|lc-)ur!}ssc9?VgxXs54xhZc;Q+T$Y|86Y*oYsI+%+}qU6>Ys;p{?MIWaPWF- z{Xm3jVLGVgp3#rg0@BW>#zMToKLCC!9KM2y*^gDf3+*EvKYXtC-hW&66fzHb9nQsa z_qsgO5V<`O27X+PO(%7;(L|5j!;-k-I8C-L?-{ORd0l^U!1vsOZ4jWu!ncpWgb zfU@fejvG$?QAU91bjm3Z*`_Z8^q z!BfgxjJSR4)@dW7rYEUqFJK{oO@&2*-~mD-i+QQZ0XI{4MuDXHXKwB*)5}U~@iNF} zDw}3Er)e_L!-K4))XE+N*f3ZzzD zD_&sYy0lwdyrrRGc;qul6P?oFX>iJKog(bmi)$RR{|;cytD2g=e|UC|@{O+7+mP^Z z7*t!fGlY;msiKkjtapor;9BN9hMb zYrWi`3s~08y{&xVJ^1R{Q$8^jt`zG+N*AoL^&rD$M)TqKN)`isiW=rhixa< zx!3@2_cxB6R4<2Y{St2M>(}Q>T1UTF)b*lW^KwSrhG*r&?WSZ37x%vTt!^E&E*1gp=S%{^wl{4yCsC~()l-gmph-&hsfl9+QX|As>s z-Qg%=92`sPN5Y1@*9eCc{@C$;gBt18-K{J>IjTHS+1H+koOz}x!2us3FuV{s$`+bE zyx6%bXS1T+0}&L!&y`eBLWf)lKF3S`0EP+sX&E zhafH)Klifd+E{9?;MDI6o}JHEe$5*t%sh3;D_k*Yz3v^NKb>@_dW(h>A966UJf5Ds zU-e+*`F<+TxM!OH2>DhPgwt*$97o1hJVAU!$ zaf825PKu{sc5bdl`qFVlMMdd>d*hQnwq^}e+XPy-pS}JhzvB(>?%mWviXNO)5#)=5 zE?P1TPqy6Q*9|ymAW$gUBw;|*ib>3tR21ZXqpY>!hW3x9(5E)-lRi#YW%LM>ba-;SJnCvWnOxKR# zC-vi!lyv@-f59efOHFO<_$QeE&oVN4@O6It#qq7f4&12!cd)2WSf!scE*YPt}NVQp$&^ zgMZ$#oeXz0P{^EJSbTV;ruoViZP{IeQsR`#R*RXoa%r$CfDI!j6zcBdc6asp4<7Ue z{yKfBr|g1nB%wp%IOs_^)ug4j6;``P@6`NVzLZ127P&8b8#wE*-o`uwDtDHikGaqKGiAzcG?p^>LIs8Y4@s#i8z4A4@OyMDEpo2WGM z@LNOp=O7?vTF+qdBx47|dw6=}>UBka|HXQTFecAEpku5zG&R*CSeSj|nTr#Rv&7vU zX%?bQJ9aXn{)_siq4!?H#?5prNMXm*zFEDz&wJBvN%IHX-AHi)Q~swEG5j<+2_EAg z_IbB6-+B@t;X`-jZ!4LPDfWTEh15ZH*_-AX9?$M`g^?0M6MVJk{$=fFOTY3fHx)F; zS`!i|_;vR)mwS}?=$xJ{e;S+=juP~~{FUZp#q!s$Id&}K26ZPcYO0fDX*lH;aeIRP zJ3crF`6!U~VtA<)=(9603?X0jva{-$ap$)!tR1tR;)6OKL+o_hTm^I!_LBrCT3v(ES2rFm-an_}VM z@RwuH{vfnIy1MhVvRUbahLG=4yVZ5u_zTx!xN|ax?ku*@M873&GfeLnn9s%|oE3tN z$BrTn$~}ReTgKQP^73WB+ZjbYEWM4M-fuW0fIdXjDylkV_Xmi_`L4a|?Gm7=&S>ao>h4HkK59ehi`Q?C&<#ysoF)9$jrX zUwilV?d#Wlr8(P4VohSd7K4YHKKzcW`|U{UcN~0eG$EO4sfT}uJ8;)zJ$u%6*`&in z9EZPh(m6{ir@3EIPpzrH3iv$bQF3KpKjpJfSooc8T|Rr!Ujntm`-Td~Ps4y$Xh%Cz z<$1{39Ec8O^kFWa+v;;Y&gJYM9Y?NH+uj#7(u{o&;B~p>+jM#r%a6dFEseN2q2K>D zF|j*J_0~m`Se;mm+$qS(7Z(;(l$AlbybLBWsb2-^ESPxWbY~7xj<3{|W_e|4WyOJ1fpqf=>Gcfx{n@5R5IrEw%gYPn zYt6G~{k>7r`fsC(8GQ>Xq)`fJ%3y*r7Milgl;u9o&UOOU4f(?4qKS>oDBe?dW)D0u zF>7o}pi`c_f7+y&PmV>?LjC7~C0MUNkOuf4CfAKND+G?)0ElRHWJz0?w~6 zB{LCrV|uDnY`9gu%UQMCUH_V(in3P6_c9ZaJ<^_x8dLHqWZ5%GJq9 z!fxZ#=3|>>s|u-UnHU&IU)ILD#X{22@3Y2!&f zsI+|ztbHpNzc*zG6s|8TpOw<7Hd*BmqZO0><%JnQE5VeTe^OONf+!4vsj{(1j!ICd zA#EG8nW(bayPeK7dS;=%6zcTz8xrGhb@50XxffR5!Bt^yvb`E)SBE144Gad=5|os8 z0|*fH{qe^iyEgApjt6PuAekcNw24fk3Dus5SA6T?VfHvSdviN*6~10ol{RkSHV*C~ zOmgTRo1THW8n8q#CUwn1zpx5PjZ21R-J0WVJ^YLMP4+&fJPhmoNoWm@kx^3T?67R^bJtIAeZB$fVKgBe32uS-Ypoihsb4%mRWg6qvw8CcHLFhJR}j^j{^nzR^zfm-PAuSl8)?>^ zS%AUe#%T`LWZE57J~)&l%Q)Q2y4tSw9K1#{5_Ey{9zS~a2}l=%zH;f(9=k`hrO&mD zja!-~`c^!^D+b?C9&F~-usS7mO)}0c5AEB65$=D0D6g>nC&*_$GKDjFE#MCfJW)DFJO}}GDh~L`u;E^y_Y^$QT7~thzVgCuD z#U`;$jIiv*6*&)2MC=pTAs2#w&>?^($g1pTEnC`KH^upZjq^LbjC+MZhxiHpdd1<% zPQuLzRoP6{R&q~zL!PpAYlHiQh}%6mXn12Bwcr9SG&6eEij!_LB=;*6O_;m%<$Q6Y z=)b(kzGh7Lebr+B+sEdByFE)T*kUy(HE8tnQ6egc%$I#7o(sPSEp+k|BtHjnm@MOy zNp29YA3s5CxgBy|nA962gG@s_WGbrm zcR5s&akvpIi{_sOGjL`YeHSsuc>F_l3wvx_9IwQii0nmT7ru!%*(Vp>3Qj0*ZjBp# zV6F^~;YQq{VEME^eF1Oit76T)!ZDjE7`=GdM`UfAiB6o*1c^YuIg61ccW}g!bym|k zkUo{)t`mV&ERQpi`lUxEn{_a(x6x~y*LT~oi?pPP6#wM=@}1N3C5Ky+IHPKjBli{h z)&0zmGBU!1)L}gYydE|mPugrCijo1=D^{^%mpVKKQ3HQQ9g5tC%Psfi5nTKo(rj!@ z8!oj;ElIef*Aw>t@S(Vb(zCAl9FCTW;Mk46Pz=fsF^^~3oyF# zjj+4PQPCjVw5d{^@Q%tJ|EOaeXs6=w;YMKK{exbtuPP11^z$h{2i~q0h86KqclV;K z$dkT#eMIic+_=_nE)f~R+F|t1n|xjkXVRCnYy+3BzDUzf#{o5ij757KE1?6brZkHI z@-^PQ;K?9Npqh#_)QLp=d|B|D0yv+KBo2D#*pYuTWSJgq<6ZqO0&3X`;pJdd5@1Y5 zaTRJ2iK!c$-X?!^1_YgTVJMyqhZj@-D^pK=!K7{spkf56!PzP-GV*0X!B>JP9K5xi zSYfL6ue{n>nJz>a>91zco&=EkNP^9DSXvCr4NTcrdLr!!|+l>KG? z=WzU?Z^8ReSciGvs;g41K9E77T&U{3F1I=gYGVY);V-+}lD{7|%(46H8tgVV>B(wsnx8 zxcPXsIJT(&*v=Z|LuVZz+4a&9UI12|G1JV)Db5jBSR$yKLPEzMct}mdtp>JFC=)v~ zdtEPELAO6SLl+el1-}O^IIbbjyAr+RYMr~QSd3cE{!*`ZofKqbI~A@;BkYzqdmteX znu!9}tz#1=RoN5<1fd7CmeLOLE-@41u8jtVjP>?Fw+f4!M~sD(vG(YcRs_K&t4%Fv$8GzYkmbcyMRt?f9Wo=Y(5YA)1_#ef-0?VMPgR9?;nI9Gpo<4%Xn<~EzH z?E9-ZDe@q@hz&h+hrePkpMq!2l_)mvYqlZXP7}**J%VxeY~p$^&t)Ysbxa+gFBr_K z94F^D`+h<%ce8m|-lGQal*q-&xq`TZ1Pv?U(LuC3VPP~QN5IfC_V`|a@=XEJrs{gC{5_jNWT))oX=%0ya$9n^DhkWcVMcke*3}r_mur ztmCCLb}AgFECs z;1dtEC+G$ev_UG9qm_m5R$+h_&rOL2rolTuVLj4UdL^>=;MjxQFL0>RgV2A1b1g@% zhIsL4Hsfm?1H5jmAh~3-fD?IVrUe7~jr$n>Ln@`7{&8sSZCzc+Iu5XZvrVD$&{^je@dXG`PK1sohyk7vH!Icht}M~Lq9~FkD8*~dDk#+Lf)>S$H2to z2FD@`CrWR+{EYLj^f8>`Ji-@-pKdL59snqmVB5(qyknXxCl79>=Qm^e`4Ku6JuWhI z*ZVF7e9gw%!3iI%+{KksWBfQ7>;zByTDO#v64qz@>D7)+clhILjrm3zPx^YBke7OY zew`bTxiyb|=R=AwOYt=ac~-2aMyd-ng|)Di7)&3(_cWt6*VPZVB2i*z(Xjs=d4dEmQwwCrHEe*bVBx(n=dP=)|^0s4gQ ztnKVW53h^p!@9B|h{lA|80<GSDGT-kkJ#}Diyh&^H%QE!i7WILAm%~DW!xEcuf}E*qnmFh-^G}yDyp1CW&X-%I zub2876K?v1(R)C(s4SkNPAFIrNRmP2(Hae&fz@ zABas7hQ6?r+^3;QHV-xBZ0$uO*VB5Juy?(g1~mMV{*1mZuRXLe(XeO-0h|3GdwQnV z+A051aZi2y&42dFVbVvtuu^jP%CgJcdz*`=ysU4P6dLb`zZ57B16>op7VN6eta;cy z$vHIbrus)|XKWWS6%taXv*IdHj=kYTd3?uN33y<&1|Hb9AU;md%&n{}e8ZEGz85`t z_c{7HVT zHVBvFUFD4_0@3GUqaXRiZZbDeRgbbXXDZ(d#OqUNEv~?z`(0x1wW_lw7j8uCQYVS_ z`qGBZLdh(Yl2L*8*)fSQQP58cQ*!}ClTmEBA*)3(dCVm2vScNL0f>%fs{|!9jG&!X zkrG@AaCz1Z7YI%Q7!vDNWa~zl(%f`K*A}XEI@7l%8!vu5Mb7-`F9UK(a6a6zOlRs& z_0!Fd?-wO>Ipd7&wiJKNW`Zd(gcRf<(25~eL+g+y$>ec40^C{D&R$_d26KiPcfqwhdxya%j4)LWfd2~pi&w19g zRxU0s-5CdQCEjo#?-w_Ja74uRu84{C8CvVmv8}@Ds9CSbX~|FzG;%6>H*WJLV2(XO zw44zx`P%7PyS8CW{6`!p!$))&V+4?}=A#kWis$3u{Xv@4Kesl!;4ZLVK#+Zd+I zw)4>B*2CI`mv<`clso13S5&z+c!WN+O#xjw|@7 z|6?>8OnyIO`1g~Mrkt`r{OLpSr*kh}l+Q#~el3hm_UKrXL#;HC zC;#;6?rk@3-JbzKRlj{Z6N<<)Xv$7U;?N!0P+}HoaGZ}}CCg%u9-w2psfmdOVZX>o z+Vr>D^QGBHVoNh^Ib$lcwu8Fyp^GkQYmkxn#&ze&d)NK_vzY{1N#>TvN%m&ne5FcK z>YLhi+TLD7!z^x%L}c&}rH5at&GmvVOL;dV2J#1c1O$QhF zq|_m%HAY9lW#p;g((t$xBArW8%bZ)%FgYIE_oZfbV|XzHO8AN-uVod%#()^ zLh4;okHSz{J{rLeOgHd#zDdq9h7B9PLIf1`y;_2zyplTSGA1fDDA|dK_5M+SKt9+j zik_6cXZ1)0eXZc|IKYI&q*d6yunPPOS%X3-?@Y$L0xYQ*f26*ecfx=n% z?`~N4LjVIP);|Qe(Q4gTYQpbk&z0QD?XuV3zs}`bPFP#yEE(PB@~mRmhdGb(;jwk1 zjfiDPg%(HA!0pz{R}4hC)3dH_e-U?8^^~a7wM(@lK40_u@-O}lb%-c-7BhUh-;npx z#*wn7IrCQ0`tgLUwi?58=B;P-q7xF9@M!=z}VV0j|4cAhtjYdp&20N zcdR8K@}RfeXAMzvCNIh8)D_W?E9BHyh+l#o{O^7}A`1#9&v^PMgj%KWM1dW5bKku_ zdiduNe+m8@hn}LSyi*ibZ6DG9cdt-2vc5BRA8ARBRKc3DyXuMlHOB_73O$}uP<>YX z$nMM}3dw5)ed;O7JoFkomUS~Ut8cogy^$n`pqIal$C-Fly{cihWW!w3Q*Y9fFTzir z3&cBgFHm*ljg@A(#8O+_zg5c+AcWWU-#@}X#H)X1K0um3)H4i>e`VCuJX5?Hat!Wz9vZ`Uk1~xmh&VYK=LY za*p#nx>^M%K}W|a40?#HcJ!=e?p5vWQqblwra_&~C<}8$B%Q)b-u-()=V?U@LElDl zPLw+)4vvp6Hp@>TA@V_XHeDWKRsas}bDL!G*g*9@b#iiYZS_w%q|(6uDutJI?V0YQ zj7K`nTCKo*a%As*91i8#Dz5%AIMvE#$;c@-ZIYDdXP|m=H;W&H7<6SA`;uz6?fp_Q ziNS8R4N4P&2u6xNJNY-N3=!4=aStgqxLIR{iSgoB)IS|mOr|dJTdApu1pyz-$Tw9l z0#6Vj3K)Kw_sfMwM*2XO0{ff>#it2LNfEtMur8Bd1(L@y8Q2DGob15lWMW+0(~q`4 zuT=PMSifa|YQ*d7kv_gO6}n1+{4K zdD{P%I`1&9Z?Wlw|LT_r2SACQWzzRgnliiB-rr;UvnA_w3dSH*SEru;xtVz}aJ&Bq z+g-9Y!pQQH^ps>ovX{@=lJUx)@R_uaG;LA+7lOn+7^4R;- z(VdURu%}^w1xNP$a_HA&Dra|r$(sy!KL`ThWF4ZGjZXx-9Fs@b?EFi&$X*i#zx=UO(P1klh}ktlruS0F4OP!>`DbeOOvt>;+Z=@n1aG zN_V0mY>AdEllKj`Y|4I1mDzxntvX1#q$idp|`o-1dc zHfDJbR*&2H?64>x=&gqpiw0lW-Z02H%k|_2l*cf2t|hDsO*ast!FNqf>m@#2lq&e5 zePrJMHsy7IqI_HEE1rilI`;RRe?BUB$uVy1D}@1+_q9%+wSAG}LWgO)A2V^Xa|LsN zVHMi|XqfCQZIolabZ)DtSBYVrU)*=CTF zL7Hr`U3kMaIXG28%3{DTCPp~lVygQLjuIjnB`{tEE%Zs8h~6bko8VumB*J7~ZX!j~ zkvS`F!qQQdLgE>5@R)+RpK?!C5z)2WT*EuGQ#{&G&ymF4MkGJd@QJM8cIaZ*~1meZ1Z z5mV)^)3NHO9*LLieFhn*VQ-a7 z=&v{jUDpMswQ$?>ge=>%BIKpzoJ;kYpGL*zYIFkd>5o-^8pF>M@=o6H-s#~pMfG_j zzJJ0xJ>$Hm$`=dQ?#XAyeSBG?B=qBb2s6_@g?*-fz650ccwxF=rC$CaTe3$$Uu9Rc z&Xm-oVR=T;52-&#ibn!6TyH0sJ(1g0JSHmOf6|8yGVf<#BYl;GEA46F7!*wCk zF-9$r17b+ni0PUi#i$c~f1B^KBP9EegLZH+P_57mrEvMayBg%_CbZNa&}rqAKz01& z5iD9nA%s(bl5zCbtAmgE75?K7}DooGKWoBe3zmz*jD7^Z9 z8dFw{kCGX@^)2>O`TC-6iWm|#xu-krG7(I$%6^k@>sAHO$+ojV zDX$GY*8qoJLk-8uv}1^Ic3GJx=0$(|woN7HKtwAp39@4TB6_}b`u2pU*^;7V-N$1a z#9s*}9MEC7ep?RfqI-Q^NFgiaj;iRuYLRgaS8${3_VU4umJ}r_-E{UEGT8YDW#q)fkc#|dS}m7?Ivo$IG>r_ zPYF0_^u1;BUU_~YJwsl92}P^u+-kG2JLnXC49D&}rd{ya?#Hp$>5f+(ySFUqayhp| zIxnpFuG}_vJMp!s&)BH=RfAH(zUa?KKNksnn9nM?(CU+3W8J;|)SUC5o|>UsG#4%X zCCD+87rInznEugL`W_gY|D`Nq9`%OKoQsa{f|cf!!t2@eWI4;aa6y7zn&0X3lPISubADQc(?hn_!Cx@bG|Dj!wk8XP&z;KI!aVM-8UC z2hA%#)JFVfX793yF6hG zkVJVn#X~yxhSi2XYYV>8*uoljr*tk;&UgKG>a!%$U*@x^M96*o&yRf)F9?J{C)eZIaxrK!zwX~+Svk!6u z1o?P7joZ0?(T;J)zt*`Qy_aZ426lXs4Nwk`Il@Q$>4SC8UY zG~IR+Tj5FLJcsjDpJ=xfzSnjZ@2$UklCBo0i~#9zOMCkaOf%9y$~FJp6qeUc>s2u( zCT%~hcy8N=+2TX~5(Htz@Y+#5GfT_u+qON{6dqezA!|E$I0g2mvI+|K`&hbpVPX># z7x!|`+037d1!)Vg{lT~xtQgn@`{2P~72ez1i?TJcs0q>yHqC&qzS7%MSeM=(P@;1H zvAijo_2L)0k??)H)O`=_`tpRbs%-rk^(;fa)f?Owl1+8C{Pu0X!oHrDnZM>w_b)Ad zm)G1X*8_HIgV(S80>}KW(-So@@J%>_e=mfNlI*WkL`J5gxjACJb|?wMUrvGzor=q1 z_&qkXuQB}@c^>t}_hd@>M^sf+{~BA#UJCwUiD)wXdI&rZ-@FZl)$+>9Zed|qaY?Y# z(SeGmfBt-g9~@d^)GQ&ALlVPy4x-)s5Nr!0sU8yEMz&>Lya3Sa-sxOc+^a+vR8(3D zEjduUTi(rQB^ZgeaPz+wGr2&6cF&|n@fpJ>^DP%|2#WvStF|y!FQWK;v z{ythXag5BA2H#@ytyPTMAx%+Et*Nz)$RHd8c4*4E#?dJi6iox3q0ZoGf5NA^^v zXhf*A->=mBT_qFIoHbW>%e7NgvEWfh!&oFqZ)iShd;Ik2=g*&A2)1}Y)W802mbfI% zSQ7kps9me?Q4YNtJ+excf~};0`#dd;(g(JVb>U18zd5rf5i-&ZXPJ$S`|%##)c1;rG#=76^DQWtyTyG(nJ3CnEHXHFmxu_I)RUqDjSVRj zBCH2J<@7I2(2bCJGcW&`%y@iy*EDav#h&PRx)wo(km~k!#ya(*N6E|d;20@aK4=tul6j~ofz%74zJ+M2$;gRnx^D?j_}@s%ZdGNpJ@f{^i)=;Oys!Af*> zrJ)kYk8hFwY0p|eLx#^j}|`5cjcVTG&D5a z++-59ka@|YbRcdZSrOc`jT;zoF;DW!u|Gy1gy)y*wYIdxEN$$3L^=c=u*1bkhU646 zF)_?LhPAmGg9u(4O-xjjALmv@ra%3M=$JOGdcYTTpt5M8`SzVV0c$>Thfv_W3m=kJ zN3THECPYjNT-Eg6lU2E1O_NX(717=O+*3(zoI=XmXs(5|>(iOY%Eip%WACsEaoWH)hrp2_vb?;|H+DLYqd!B@O7MH}; zXy2rtTw#Q!J`|wA(PJR9D;zpZM`jAC&EH*FoB9px+Kvvl4{2uro#9lQ^wvVVuvO`R z&#rAZfuuvJ4k~;51Wywk1;q`}zH_h03|JqI)}U+I4jX)&5_nZ8_3^0J3TY1^bBG23 zU5)XQqk>?~XQ42B?g|SPOA8CoIZ8@Pc_k`>kC6Fu>U%zgL!Sl)~ zx`050X-Z&<0g6Xsl0qrMa&QFk@c0{am`*3RoX?fBct`i^B-7@99S4`j@^b@@NE{y$ zo8HVE@QwOCE19KyAayyjSh3Y<9__N2qF;v(_m%|={G{?TU(@oxw<=s!yPRFPc6;Tw zLyU*~PVKlYe{P+O-*!tR(WCo;PnO7Q;nVjSzKCqE7T)AdMJhXWeD;EVl{B_vu$;U+ z^R{g^1^O0?8_8(~*8SWb5#a0SHlqBoN)a(dPr3yUk5EKZ{8SQ32OJSYM#U&V!*L+~ zb;l{XY8U@UkA~5VzbY$35X}4c@8@5}YwGCi-nLoOjD9EYtC|3=V6mYuU&vmZ)zP7# zJ%_M&Hn!by4e+3?7Zpf?pzEK*v>{JeeKp)V`@wj{WByKk@hwxQeqo$%s9w)#=-of~ zZcO#}*!JGZsn6^(nly9H$r8tRC28jNW*fY2T(CcD^P4Z{&cq!q4Wd*DEGW1PG+TXK zg@=CKxsiqKzqXYmFOD*pInuRocVLmYx$zzigBdESTHw9t8nUuZW@^K1HT%W&;?mMc zcKMFFx@YJ5`?)FoO)6T#cJA8)3t^6<&ooh0f~^I1DuPvTn?#vk_5RmM2ITcjtZ&7K zkeS!_iso(YzP=5yEEOoe>LQx(b1r_mugdS#`T3Vm9$)?a(jnq=`i*)cK@Emr0hL&d z#1*~JiwWvqSC8{hbqXmFxppj}&cn4is`40-?K}A2pN5#Y5)WhL7ZVeM50Q4}5g!AT z8OHGN($b32&+M=*fapz7P*6rjX4fuNF1p#N{^WyQ8g$CmIe1IX&QT3t5!nZ_*y~Lv z1@`Uh?(ZiCR$sJ|DE{lqgtpz`Km0SGB(7GxbG&E;#-*a>&@0cL} zg){inKR)gsqI8q$Q|K`BicOc`?wRrgmh%;J^PU6a<2UaJN=x5K@X@}t zoBJ-q=D?lufDkrAfO#(rA z@%A#3i8U5^A%h|U2`6Z*CA;m-O)UlvNNaZSYkNsf?1 z?F$WJV{n0`y&S`z*vVzwN%}}gUEsvMTbhb)gOLug-N})sl4{F~t3P{HQG_NYO%^!n zt(G>K8u!xqbk7SEsOhfCeKmcPHCta)5+`u;+An!I*hf)r2Yd|&o4~T56T`-47$a>C z^lv&S1q?LU0e(6~3rQOf!ko40^XKVI8LQxh-Rkk}Bt2z%{{8xKFYMrec&pik>9)^* ze=9wBu|T9Kl%DAcsmr}Et$W>Uc!xjnOp{Z=$QElmDZ|XGZ@NFx=-Bl+70SH%cuzJl z^MC$FtO*!!K$b=wSXEI`fh0dz@2#pc;e<;=?|sM@k_i(J4-aq?E*8iP*gFKJ?{$nd>vm|Lbw6Bp&8kJTzV&-K29= zd_E_0kJX6a@Fne&)8Wi&z04yK?%C}>>o_Q`|LSymyYjqpHR-m%HL{4vGZAN!*%a11 zu6xfm6eVi)jCcfNw!}3yV5M;s0a}C)Q9jDWokQQgy|qf-k~jb{yZ2;Q4yf49S_%}N z?*NR`+c?iyh27n)F6YyRmu*GEzCXXHNH_hXm4(IZL}w)N{89hIFVRcdJnu5nm{J|f zwV$+V67K*9xy$g=V}r{o|N5>(BH!fy#h3lh^-z~xSjd5nK34#dPeAoSv;3`mM?X_c zL*tY)*b7d8*vNeaYr#V|I$v(4-nC&HD^Iz%F$aAn~Z9;2+ zlfJo2b>}Y4q0`8gg*QD%)b^69vzou&w)UL2fNi0efBcRGInuFv_wL~iNg*~{M`Po^ zZ?^yVDF3++|NhaZiyNBV;BUG}Pl_$($5QnAwKrgjp82see^)edd|YQe8+$+{J}`q20xtLL?C@p}3J3th1t$wc7Piu?1^Stq!Wf#By?Uj>(}vp)R7mRwd;Whu zlE*y^f#l@mDmaSn;G~jcyp^0h_3fLi_wqcFG^|9g8@&CGqbR%yH_B6uyM%@=OB_Ru zt!Tb*xZPiwG`Ui>5c0NP~FXK$oKia%>aj^bbq}!ZF?q{X)<${KV z>3e+1WzWR;OOG|qTg)d;(P-PhYFu!$*ZBDO_}V!uSNiiY2jLzJ<-LGw+Vki5sr&6n zKor86CO}6i;fy97@C7%A$s$JPl$uEIDu#USEfW>x1h7@t{{jsE+nCO_aTG zhSGJ0k_G%|4J(jCqMn*uPQ0ESGCFFbY3Atw@-aAGHi-bG`t6{N!BAb7OoHT0q!vrO z<(z~!csO0`B9;bs>MZQ(eRmMfGMMd@1V$NVo}>h-Nnt#N?tF*eU()%xY2Itr{eNyejlHE}{o*3yf$pylj5)rK``CEJuKByXu>$O} z+W&PaHjmf#%NNb^@M* zK??3^j0|Mq+GF3nCr5WDBV!&C=t2B3-ObI-O(_LaMqlsNgK~22Xs+Nral|77aRDT6 z;zcgugn@|UP;hiq)EPrVPsCX)t0-Wu1)7@=Ruag?<0$m`&OCijwPfJQ${wmoHk+axN+83i_qs>+ZeBKd3;;Kc}&HjEcLA&efs?Q zIQBK#-7e`cMT7)QDw)qVMi{uc$uJJ(d#0+pcXB(q@m^6C&24pY82V=ifwo-QR)64r42SuB0s< z9!uz){<@%H0)qS-8HL+v9-J=@r$C2%bW{plV5zG=*_G%@PRP^>#_By7Ge5`bN?PI$Gci#!S z-E({SchS0SJy3R@zGxs(X*eP_NW510j?)v@9YtP=^~1x%&X;_~QsW@3JKYU>TRYs; zQTmdnx762H3BTLZm7ytY1hE5b3MKBx$GhV^>FUze2vvTF?+UOg`IR!?u3e*G)K1Rv z=@K!)DJuHaSumF+rp4$%$dqOoh+Bw&ideXB*THdLYR?`ub@hqy z@ed`mU%!0)iePV|M}#40U0od}uLj{T;OIxoTzQvkQ=lLiziFA7TF*3bWuVZ3wcpn2 zM$RF@Pn8`VOx6^M^j!)P{#^PnhcH4{%)xQ-V9RCt`!&1j8REM3f9vkw*RuM0LEMn zAA{)?6G0ClRcHYbtC4f2V-lW|cro_(=;`Q)&-Q!MPL2%fgq7uGgv~d+IWr7v>DRdy zFsZj^9bhq&l{7`9eBBis4qcYZO!#zQ60wJ|?ga_sFlL5No_zY(%y0}@n?X~eSa{do z9iw}-U0ht8OqjApC};1w3WM+oV;+Jd2l^-U=- z9j7EBVsrEI<`iuY>F$IsPvg$Dt=dVfaucO~dF6JC4X38_nqqJiuU36Zd@Ij>RgdaP zWTrZmk(1}Zq~jLWD;M2HWFI}ecm6}0%JdpsFZ-Yrz-;f!CJ>XXqC*#EzCoyXJx)%< zs3c$1vJUB`X)lf`AI|Yv^CrIAFH&k>4#*6vp0uqZaQWnk6PI0F3;=S%;~P1Pl2Bbu zYg*P}f54F#toNW0;!}0!-O%!fyE`-#XE|I;F|!!kpB;mmB86Xy?Wh1B-)P6cAz|0w zlX|OLc)}o_@1nk|5sNY3>Vo+uc?eE4)T+AjFEC2=9n#}r3e8!92;>-5{70#d$0Ao{ z=mdvbxewP4uu7VdtxqXjnQ<~5?n%0R`%PcmQM!PGeSLj^2!d58wy;)*@2FBGMyWU# zgU>f(KKtd;Rd97NwJN!Gda$1M@b=e9mk8kGZftT>19OqII&ne&C@%w=y%ae{fw?yxw#@ZvoI% ze69t;+c32HH9K3KuOaXmjyH%IhmZ#ETw;UMZ_vdoph;@ia=&^tQ!nocD1+^g<>9nH z4-Gs>s4;R&4-61Xb`omrhjtg|_wHl?p|gSs=rD23J{8q?nJR)&FBpJ>7RHPD_RRH|!rNIZhpjBWCylG28BR~MHzDW4H}ZslB3{R7V7 zCYNV_BQaT95u65;V(HeLB%~6*;N*m|(7t0Qmt|d^-08+vxuRS?teV#6O$!n3nyp56tV6|C3Mwwd#X zbl_St*c$dVqP^V7X8y_jA-V6lE^n+UI-e+Z4_4F={Ny;&Nglps^ZqHF zwb#QRPHh>Vqh92UeH}0Lj2bfr(B)BYZg2Z(j?L_fgu z!!Vfr*v8*YtvDlqj6BoakJAWO>agzDFJIC$pA(!Wht1b&H&mW~AQ@X#_EcCsn<|5J zBg!_m99}tJl&f80-Vun!>F6WAyp-=KbGgv!GddR9e|d|QF!L3{c>08@s_!YQkjxh^ z#Q6)WXQ-+!z)@&-|1bc*Bl87Qv`f4jnq=>gww4{d(0v z1Nj&$D=YMo5iF8bKtBy`a8VwbsONrXgH-2k zq&8m>-e;otJ#ZkK<=yvR= z8wZu-u1HW+TpY#iY*Fv0vnVJk#$mj*M$;vxQB%@I-NBGTUA~lNkq~rTZfiDO=;@Fz z!8+*(f}44}*`s<&ZmUqENjqpoW7`vgURDc_o))-W$+Ao~%0xkT3=F&+nGq01_EW$A z0x|URl|jYL=6>tw@ij_dj+~sF=CD_?MB)TahD$SKrrZOHoNH^r6OdEUdH%-qij6xU z=fBp25CGwbhzO9NVKu0xq0!jX1X_zlTnx@Dx)4}hPz6@e^B(15NqrelM^*_>UKo5z z`1tr(WHve?HL2nPU}HiWbuiOXN!P$&SXlyj#-~o5T7JL{#t|yQU^*sI{m0trSSm&O z4HRu#XN-RT{yn?z`uQVBFg_%q%`teVyy@aE!NT_Pi^5W`D~%g}r_1e=Gygj3D@}X% zvjMf?Jxl(rj#)EX?s}w6g+UuJpOE4zbUYBWZSXh|ihbpV8QM{Mb?|O=$X*aZ%@!RdZ>VX2ZQ5 zERMUOZ-;sANxybuZEdFJAe0iS4~q%=*eWxaK(yfA^78V!efu{0fx$u4^9+oP$K_S& zl+*vY;V6fEX1{;Ff@eqX1!xEsQJAK@dv?gdA@gv`^vn!)Cb*?Ldrtw&w{Cr)&c7Octj-c)*j z+wP+QUruei)PI!f&WU-GtoGaAx9&<7a}o~Up}><-ZCn3s&3atNA?EdV@l)HJ#i=iB z@-qp$(m3#C-$p6z@EOW4!cyH=Y#NyVjXAej@6b+Pn?*b#+Rq=qnhq zH*6%obu*cZQZ8KSIyu$@`Wg^n@}`F23rbE-P9!5#R{Fh8Q=xlBLSs=)z78xsN7|B@ z*hSc9NS9DaRl~Jb;=C~D@bt3JQ2molT)vo-)BT4(Civ+gJudLPBtNer2Ky z=q9q{)h*tK#4&I6%XGhO<&^5I(blyq^>LZ8Yo$Nfqr>P%sBrF5{u;u5 zseXyeMD^C+<@x`x_U3Ut=iUGRJ3?d4UP(2U(1bQgT4YHodx%hJAxn{@(q?CrByF?| zm4=Xnq?MEs8a0+gi%LQ&qDAt(zst<$^SM6P_w$|4@AkX?xNdXJMLl27=XsvRd(OeW>HEM`))iC3e zYGcm4{l4aV>-Ut7BSG0`-^e{Z)Hxc@NgUB+$gpubVIs8`*mKKma{DExJ6{M6Ua?@o zQNx%$y1WNH&(QGWmoFd6GQ5OD2@XQMPFQp9%mp4=IymSO6)2&TwINtwGz?LFrixlVvKaEU ztxaXyJUzYLvqzCOz785Vd!f}5n|b@1TSolSYxPRa83FG{4g9undAA&+>hF6F-8-{YtA5?K#>8Zwi}xKS zwps8&dQ~A)M})19_8TI0L(1bqV$wHVwa5`Cz8ih3HK=#F)I%>sl0;2GBjso3$1%yP zW?%mCA;2osMzoqCi+!C_Y!s}mt&MEIK|4yct9uOoV3xgb}`PUt}ggb&zx6 z1~o1MvMW-6+*dq`MnP42GP$#GP!8 z%N@ET?1UBCnpo7M*oCs-oZU0zAjdPRU%$SR6tcl7a`Jpg#y)+3{!&vm4iO3%B4&l8 z-+B6U>My?>(N;29wTeMEef;$5Co}J%$2ccUUR6im2`Y}UQiqKW$=r>;cl?WFoy?!Q ztE?6s5PiM%$WOQ1X~O+V!EfQ|MVEiyf&8j#^Dl8Ljm8{jdnl>BTz2qm^NGs^&O%_$ zQHwTS_$waW9)k+SM^-n&WBfQ()x^})FdHY@%T6z%Tkvr9E0V$i(i+DihRPkP@g;L5 zF{ZwV3?pkIGaGVpaty~DugE%BH23IFw_jztx)(;z(@5T=b`mv8Seq~(pE&wZ#Ba>| zx!?Vw@SqzRJGa9>ua)2itEN_gKs_HosD~axZ#Q~?m!U;^sdC5brq?|Z0 zq+_ByLQ15Jzu!4CF90>fv~9m|i%W1Dwr$5z4n2RqN<%czF!02Qs=7K~w-F;oT!O6) z%H-i0;S&>iBlo(YI(pG<&zrTK)pwe&wpec3l)qr3!3y~8+)mc<^}fVJ)idchsxJ|P zjs*q|m6rAy92Oov5+^G5cakl3#tf)3;7SS~@8;q%d(NB*Lw<$NVhO(bOV_O7?hhF` z(svGQ*$A}_;?=uF8?`K~toAm3c=zs9r)IOiL#F8Z_xttv$Z9^^@(WesyV=fG|&t=Porl_O2Lw<4BM{-u#9CvGck&sga28Hv7`p$YWNStwvFg$ckap5CSr}pzxC&vN{Ts zU9mr;$KIa();V0B?HCdnS&)821VYzp-8y>ss3+3TFy3g)p|yT2mXL)dBQN~aorvg| z?B3qeDC~kBy+`i8MA!u`NAWM`l#gxmj4hh_DEzN&TqV>Eqx?FvDAYKo^R%^pMS#c; z7O!NgDizEdZ(tCU+MMA!TCZuj(oIGrjt?}1##jEbOko*;5e2M)K`!c5Zd)?JHRKnZ zHd<`17`)4wGq7_g6UrH<(9%apJSD^Badx zdVcqAug^`lC~(|lZs?DF9F31>t=HD{(}ekYO5AR`7V3ef&^3Jo#*h5{sv>1q9Kur6Gao_mrtMeuD3NWxl?xM&TQf9HbpBEf7*lcmzJ`eLHVsR20+u}^lQ$Y4vX)mcK zoQm8vQcI*kMq~YMKJwlq<{!EJid5$2jT@QcVq;?y$3573-4My;r%%Gm+q$0rA9Zcl z)|&Rr9l^0`khTpNz>`Xs>1}-bc4KrfXrR`HHzrI>PLO=Pu7%QJoaaS-@!1Ziy}oxa z!FSAhz2GQwi>(GgRH^FnGih27x5fKl_r^+Qh3UY&2P z^5Ob4U>HM5)~;TCzh6X+OxS5CZk|6T6gn>Kd=TP|J|)UEt5=iR4eh;u2{UXLqc95z zdGq0e4jM+oc6NT{-#hOrSHJ_O7noQ}g%o(Ya%Jf9gN89og`m{+rKu@QW80{-``&VH zvIx^q*DES23Zv^y6Q1~%k@@iYwfcrXos1LXwo8 z_^_iSM^u~eShUxZTt#(;Fp@tQEmK7qwGGEEUYz*!gq+wXL6$SdME#jvdlFxreBw z2?8umphq{6oi$-{ht$On^SIkakQeJdT3eQ(`)XcT1R(D3=dt8-ozi+cyKNfAZTRr?fLWjEm=y8!xC^LbGq#oW?RA_ z_T*==+sAMHE<0tT2_io?H#g!(&MrdX%$a*k6hD@m`jR{bq^3?!F*}g}kp@r!hJuC8g+^ z)$JQ{Vz4!M#dQfGDP9Z2XZImr#lg>*A(-kIVMQ3Y{b7@>t*wxU>&$2*3G&Bj0RF$ocrF6mvK8Xu<=pCx ze~xbpQ`a-ql&D7}Yhj+v6W0>2CF&V#&p;NE-k7Fjs_@|8gDVfup1F!sQ~W!J*P4u576K2Pnw*>*x#75Ru{3MD zUO=0HnsxsuC8b4U2KiDw#5FqgIw_|(+{YZxjj6-=qq4!mcxLQpzmtIHqJEqADD{Fd z89k)8FhD#=MI%nc5~9w051V1+1?2^+IJF_pAAOG=Wpuj+%-Kz244jo9GB5vvlWZI? z3|^9Op)Xz_*^+cuSNCH$N-+{m2KfU094o7);fAoskZ|u~O`UHs@AH?S++(5u7iw*O zo(9mo+}z9w!mVH3hn&!ejIzt6&MxvjNHXC|6@wm|d6OMq;==&n5TJxTc7VVToKFx? z-C91w?XifS=_qa)ei7j=SZjwSjdEGHZ_68pl)rgnP^i4;jUIA_AfC7@x?~tb?3bM8 zI7VB4p+ukd$^B3&EtW14rz4|!(4Fl+4GR17PZMj+bqP1H-65?4wu0AOef4=eRlfit zNKc{3mEdVNXV~jDshKDQ77B^XUbj{b?ViY- zw9#_>n<#>mx&pFP z!|&izcIdtKST5G!zoA_Ln_xCTvyd*T285pWpDI zLxtZtPeMqHkFr*gTrgEmN$FT;H&(>ZJ9WZ70K*vc3SjMqONZVL?L7w|4VQrkL_w;v1G7QyE;9{wn9QoF=L#GmSiyjOk^YZ4B3S6C2*r6)hD8s6Erk67lbH@ zR8E~dIli;Oz{-hC42RH7OIFhe(Jbuas9i+#ggkK z!!~h62Y&9f;n_8MH*|O@ngmBU9Vp^B`c4dH_Gjh?M_WWtQKt#w$4VE#vncu-up-D{ zE;_w({_1<_WhUz5=&2^+<=u`58}!H%gv?IAeh+eU7sWl6c!*y{w!$eensw|&2|XuO zytiX=>gCJF!p$IwYEKw~SS1GD@#L5^^5p^{PP-Z_=anzuX6*e#d&-o+m_kB4>^Kg< zAf|TNZxjR!|MGl#PEu6`TpJ0v^g*`K5Ad_^>%QSIV3Xk70RyA_H_(nCWb>xVitlT+ zA~|~XO4!)OgPbM`%3;)&Xn^O+ALu{w*PjcnjTXDzL|_263o-j_pScK@g$zNya6is$ zg1S8Haqeez^O1hm~nK$p+bKh&`I3mx7>2v4h3iUso}Q(VcCCiFne5_u}ioR z`2}Hz+CyIkpiqPqr0LUj2MCv$>&NSau_WAXkCGR$gvU4~NJ{#yRSybHzth!MAxs~Q z{h%dg$O+pC4bGrPWR+v)XYKboVPqk-w$qK?nN+Azyoxr_G_3G722;65ozXLU zFycIvT1w2@ho{Lz)%+hd|O#Lc=+(UrRHaroI_m{A74+}xrI4C`rs}f zY9<7RbB{On%|twjAbVS%PNU2M#*7;?rrZRH(iC`^AFE~E{su!NBtoFYoRp2?gffCd zhZqGAwQ$)W(MI>bFtph1t3oQ8I7j*8=1u)MbHJE%-!AVoXIul}63Jeuu{t~~D4*HH z!9t;0;w=h%xI3or@M+P}v*U^mR@c<*a&`5U(LNdBI#z6H5#x~Fym`Ze=fob~R#27q zSOL7IJuEl-S&|{)4KvT`G}MdATgx+%=TQ3|{T<0$t`}Y#m$PrCCAm`V*gc|pT1kK3 zq&GUi8MIE51|1ew{wph2{(9-rhG%QuGPbs=Ze4;4B{c*gC*lV0Te;f3?DuYvN%b|cdgV;LKFXbHx>{ZyMFWL&6F5cHSa%46@a4l=|vhKS>Z*<$>CEF zMrQTfy8yr@Q8?i^d+4G-;!C8}*eSO;z+gkLqTr-7|w|Qx5zB9r9xB{NA;Tghd(?Zj=@%NU3 zuV3P3kK)oyoH%jLI@G8Dbj+>icRL4%h4rt=Tg(5F1c+Krk_#O!CQ4?5AL){(uNsMO zCxgJFapQTh=6Yfx-KJt^Vi~otzF-Ib0hX-qGj_4BB^^FO6fVq56*N}Z+Spj$c>L#| z7EO;#M{{P+&rq@?Ola7E==+XP_vuW7oX~w6ObWhx=gx`X;H+imO%(Re94H~7vF+7t zH&bB{82eWOBzOM^{Q%5r!{9YZB1mfB)-PNzhCzJ%mYais>CYqC>wsUZV#)c1;;)hW zK47>tT2P^!V}Y^-@dv6KzeKcG`dx?wFij}O-f^hdpQV|;@NKu z7p^=nG`L;IG8u?$GG-720Fn0ALM|*_lXo7|fopn?K(oNYI+I(A3Zt?O7PK?v{AwAr^nwn$5a47F!-33mPVPMS~CimKQ~@mJ{R9=U~tG-{*=bH zGqAQV)8r3D2>Z^-`m%mEUbrxxq*;zzcGTDRb3?;#)5}<7&wf%vcz57u#>x}mVR07D z^5NQ8a9r7U?#K;Vst^bW?Ce>MSOG+%IebDu9^ch6dkS^w@#CTL_6v(BdRP1Wy^BX~ z-Me=lcs%PsUw^|GXcw%9Km7ja$tCB=yL^0o(d4r#4tJ)JJyQIeKQebx8eu_Y*|G#Z z?BXrSF__kEh!5``EjWVcg>!yy5_0O)bjtm19#c7P5jxHdV{RA!Ob)i7AKtG(?whoZ z`we4xqlF9SKD+REBW9vpS6QhFj*Pz43D{rR{p}$y8$9#abj}3rDtzgRB}>jc<{61o z+%$l{gv6m3sMlA*TT=pE4$sF<~xrc)m0}EB1u^9K*O;IBp!Ne zGr}<- zi6RfzT`9ivKlWngy}q7s<;vT#j11DOU)#PXHb<_xxViY{_is`c6#d7j9O^r&m%pC% zv0S-5GY(zwJ~P>G)9UNrzicR}Z;hD$KyznGrB2P}x;2^2pDYGEG)Y6?D z9Y40WZ+0qh(VFCuNcY9FwFZN?NAPC?_`{6@?!VuvL92!DoS=^mN`L5+gxyr&84wPdl{(XkTKkS@;})VufZi>RZr}_^;_zL z6H`xNB_DHC1M;M0WS~CP)YUs`%l3E<_$NCkT*DGen>>fu|J}0xhx6&!$^@#@i#Cwl z;9%drz4t78b}Fq~BS+5jU@EXgU$?Zi(@Yaj`h4$kPu+tI_~_C87dvMBqr=cnD$!O`8{?qhRUBK@*r+V!`|!bo)^DELZ>Il?wf$dh zd(6<~LG8}}l=8FEl*-+RWDu z*0aCu|L-@_=cPS?Dl{ZSLrcq@*>3UQ+v0WGD+YXT{@zgrpKv5Qy)m&N(x@Q*zu#G} zA*UWZDJt5&ZQEjnz>lr%uV33*Sw*FPN%~*j{qOM06OwzJ$hUEgjf#=|C+GQgYQRrh z$#w4U<`C=a>-+5A(|7O3EQDIA)hB|}^AjC9eEzAgIcI8PbNG)%vQ;KhU7l9xMLS*Y zzx;z&Qd?Ua_>TBWvdeg|O1)`;&1;NbHMVfAKY!k#IP8;Knsdq;ue;Bi6pPf)3mvj% zyQeVS04-;9yvyh)_}*UN_3f$G%hFQe_>KVsQeJ-8*xsXIdSRk*$?rn zEoaZZc)rTa?DPJN`TybF|6W&Pl1)%3DE9a*U4H}j=E-lorqBQJ6aI4Wzo_Pq(2svQ zT}|yO@pSw4(NU4c-tZ$&pFW+duWv1J;q7$8fBifDs%9H(ei8@-4c)nH7D_kB>QYj6 zIXi!8Y1!cZ1sxE}Mj}dW5jw(le6>NJ_7HByoI{O-u~X@$buT1K{3k&Ezv#)<>Kk()6&ZQV};_d zfV}9`b0?C5`X8J%pqs#b1+U=>1eq(W6N}w-%xRf`48eUs@-ejw2cEq8p=~0i&tXR% zJbZ|Fw(XneyZUf}yHjB{90npjCSpW)H(ak6Xvo92a3eWwgE}3->&;4uB(rvmm>rB_-`PZd^Bf@Ndsw z*zZIXK6?}=kuy3DlVX8XJ-Y4omJuy4p^%Lt_8mok7OorXQT~*e%d)WfFA{J^LGO%M+N)gD=c-A87}z$i7u&8a z$+K1gd$3e;jawGS));%g^`9i~(a_ZNr_1km`CfYLVK3LOA7_-}?VzTkZh2D<1>2{4UIN{LU0Y>-%Qo?` zaBk`6{aHdCsf(7q`!4y1d}FD zhV1xc*Sn!PZ=$jNLLh#%I$7ZrWtl zDb7;69>?V*9i-U9k$4yi%44m%T$$Ok(j87tiW4Vh!@_8F2tAqkq8Fv5Fbm*83ik-X zoRvk=N7uR$LJL2WY_J@Kz+atiassurcD38IPWEp3dh*n%0sZ@P$)hWCzr`gcE;Sbj z+{b?$HhR$E+}XnVi=W@7p#mM0cVh#VNZwnpaG}jnh0!JN-o>>mMy=)>Qbqo(6bN*O zc5PQ#9Dp<}jcF%bL>dU&KYyMQS+Js1)){LVaU}co>(|^AR#1FnXv^C7&bx58=(RdJ z(i@!=YIhb^a_4vMOnUmRy529dY>=4f^`xYj{1f@rE?T9JA7=;Y3K}YM-)zwu_o}Js zMBN|}_eI=mejo8#KBjmxFV@5q*-1XZ@$g}xQQf>_E?*JF##-#d7ObbQmkJzg8VTjM zZywca&Y9fAlRbZa5(}lR)878Iszdp%bBuyKn1#V-G~GaodgTh*nP(ZIEoRY`a4!-A zoM7*uWd9s45Xe#lf53}BJ{7b-eC#-@PPw8FLv{;o+f>ik1!bHxMPQn zR_J2+GdL?qOyZcExFGX<*LvFJsP;fskX1ul6Jt2*j|)6Oczq9MecZTyeXR7^3_FX=SUk})?k8$m#HZ~%U8(+nr@c#e%Mcv@1Dl92Fo+I!S3CJOVYKCk0LJToF6 z_GrItn@G`1e$ZiZh5YI&^*d9`MKZ4(IB%N*O{E~?SP6bDxygUYxvST%W%tw-Sm=HH zQt|QQlAO0D3S(6zIkmCSd$2In^8f;Y`8JX%RR?j0jg8wn?uiIwe>l&``}RqIK^zj1 z%~a7D{-deML~)o=%o3f*h4KM8ljKo_?4IF0S-xAw?yQP8@87>DE>2EOy>FXH48)ld z1D%|%UcC6A+Oc+9=5X7@;;IGouT9!1JJ44jZMCUK55be4KZVA`jIAsx-l}n7nc%WS z%1aqBh@hTCpQ;DJ#)?cmA`~bN8zCj-nDX+zl1Ta9b)8<+VrY&|0vCdQP=*LrHacmp zQ5^P5eM-n`b92NB->+0rz(80+&8ogTET`=rXX=%sDkE0y=!4A4dLcV>?X$m2?Y)8SI^B|80k zc@91GKt6mEwdgl*#s}m{yfkzRZ8~S6WN@$>XrOvhzysTuO?N7{B|p`W?k@y00WN8! z_&v!`b8~a_i{OQzN6(&7^HeA@kUVRB8J!&g*UZdJCDb}bMd04Q%U4~K)a~inA;f{tfm~HJi1kp{bAfYmz~ylnJtkEn%^*Q$H|rqK@c5!^MkzR4 zunxIrn~1K2sm)4n8eN(+1etfcwyE4|t7bSRNKZJ}oM!Mq!)2vIkIZRZslYiQJOER= z%Zjx)7uwve*oxW378RcU*y^q&6I}XdNy#Sej$HXWJXGP7h{(to^V~JI8#fvf0NaI3 z04_j9uB^1QXE%|H-7*WF@bbN?>R?}eUk}4yv(Kc4u3EkNeQoWw51hI^HX;?JM)t+-xF;)7=4Nt(YZA9n(3KTax3B{;f@I; zB!M!$+?5Nb;JXu!DTgocJ9@OuT}OC?QA8Kyxst!yoYz%RIRhef^{G$mJ753_WBwmw zx|^t<^1aJ1KE>T>AKFcz^Gg@Tk_~Ls@Z*#SOB>Wq8q04_Uft={$sN$F5sxuRp(r)} zX~otz@ggmo2+eZh5(t;G*9j@2K!hy5O`~gVz;GGIUiHBTg327dl-1SE*RB;7Sf2s{ z(00Zff3%U-(bBRW!2b^RnVECe5B!p|Vztkdv7i`moX=uGL-G%Q)mNCy^yhFklw%R{34ffI*=j&aHdJ!twgol66e&3 zS@D>mj7NI+E+Ff@b4o{l@9!7Sp0(YuVZ)9cQ$mfUwBK}ecw)=z)-luiXia6gk=>Rp zzWPzXP|e%;>$!6erV9kW9|gDFy*pQO$Kb=FBVt96*-ToYB(ZwsN`Be?nR>5x6Eew; zVO4Dpw2u`Lq)Yu+SlCN@w*FLPWLZhcbZzaljEt!|a+8DeY4Tyo;6Mb8sCR0e-qs6R z$~bJ+LcZcz-0F%wxVV^V_J3#8u%qQ$2d*h&{{&cy@_+A(;00^C^qEmP8$w#^}u3(GAV#uTI+dqM-IJ3@dng=d_Nz)xa zF3?b@M1Al8I1I(*cQ@(^!&qt3Rqc<6Jcwdv0)$ljCGl+V8nat$230AGAw>Tuo|z%n~dO3{wgsA(I|4BEYI8RlG&D|G}uFq@4`s z06hnPGm4gFrYv!|RxdO5^=CIKc!jlBw>=Gsh_JO8DsVR^oCs5HB~t9@WrE-3Lo4wz z^z%wo`nkBcJOkW@h4Dc8AA1D?^B?J7e164N+D%|;9PI5Q!omnG#`0(gXcbXErLCjG zW$50$JEsTcYMU-7{knj4BdOAoSr}W?>CX5@f;xBh(}d|d+Ob8`rcdAHdh}%vEuHEV8N{I+Y_Ba!Fg1IY8AQHTxtMTZ0tc+^kU}eKX^Mt?JL5u)YSLQUqAN{ zWIDY1)M~B&bLDws1&DQGbJ;2566;Y(H*dDVCa3OaCkUwYylhK(NyHI&?fJ2u-cWX( zpk9605l}V8(CN6alJ*)lktt#z2@enL$nfsYDa>l(fS4twqpNGQ&=ohBoV?Q1^qA+J zwf$QzL|5)Gi0Ppq*98fsWbf=ggqZqG~V0ytsfp{szPSc#oo8CRz6qNPjWvIh4*INCqAwbfPV+j$I)G8y5Ct50VJ`Ab`$ z%oR3?#dK=n?{UDwO2#SjJs}S=9V>Ki9T2%pNy0}zira#AY@KpCp(SHJtO`V7YgS#| z#FQB#Eg!6pg+@dKB`M$+>g#KNVHa@X+~(9}B7*i=T|lN`{^t5st5&_Pf%-AklF7)( z;4`ate*Dzs-f_TIR-?UwZm*En&aQUk+EJG{yX4%GbJk4*Yp2tRtaVvBatYD-g%t5G zW(iggX>q-zjzp_`L~gq)UDo=GC5>jCK88gJGpdjJYkLOa;b)$<@KMFbliE=9zh5j6 zlpX3iKF=xfPfO5*XlibJzfM>JQ&gs-BhT8=%d4zK^kscB4ATg|IhiY%z@?<6m70?B zwV`2=3r;jCIeD6rl3e(qjEYwQL{CFr4EEB$ud$CF2?KS&suN)uEVMnHgF95~V z%k4!E8*=ibCe*mAt8!_g`Io1kS`S3E3F;x+)D2uxfx5-xsSwPW(f z4$)&K3fHI%ll@Vidj9-g&5@QX?mA__HDEFcPE&uRi%6J9t%-uj8_-Rshh3fHbOV6b z!+^Xh{x4!pOA7F`vhhaW2ofkRF|=QqVd?pN3lxhZk7WDo&-hpm&c#c@4w`=lj`jR; ze!CE3e}%lIdEJ8H-w>(kh63!Uf-CxVzdYGge>~*x&&*L z)-PY=(<FC_^(38p#vND^jrD*7o+umJrn$5%e zk^tZAY=dRWt#RTD;W-&_4A3j`ad^0|M?xBU5wuwl6xu+wnItmL16?k^@&bU|EI6G>wz)%M1{+tuefnX#Y ze^3Z4g$C{NVdPZv=lkYY7n*n1nVwWK@d2|5Ti?D_2+l_d;G_xRq%~#A;}b~)M+V5)=>d5tk-S(WZ+e*+EapzhDIMa>PtNo&_ak}H3i z?C(W{ikVDN;L7?bI+}K+ckkZKS(K5K^z`}j^OFUFj@rn#@802QZ1!=Lt;|IP8NZVE zGFfc(YM)M|rGFehu|bU(knhq>@O#fLnAP$KY?oiX(aw(27nr=!rJZ^mbaK8;>(oF) z$&?Tp$$LTh*=MdO->QN30fooIf&#!feQ8i3mq6-I9zCiMCQ#+wH`?2?UjK?T+A(Bh z!BzQdW|)JcjBS(g@$#9DMZwc`^5==TNAZ)O6yZ&P-lS;t@MJR9L1P1f13d=|W(59l z_61d+-KJ}5B1gd4a|>x+OOOT5rzIyJ&Rz$HgtrHmEQk%r@UPg8XC!S?RaIqo3VU$U zKp^OowQKwL+3vnzojPX-$&Q|`(-j>e zZDg*|0Aw(x>cJitPtT+JQNqmn<*RQhg5Q1+N0|x`fp8m;QUCRBu(?9tTDEA#ig6AH$z`fuCiEQ{vt(YW%G{{MuBYyY^%gW(b#0XQwHq%# z%#aiBy&r!GE3@R>iN-0-901-7{{>)$WkrEkt0bLz?QYZWl zyZ-K7$+Krlr9*fN-F2zBuYUDJRfpc>XoEV5TY>2baQw!NQj(G@SFe6Sv$K3aAU?kp zct-mgAd~zdEiF7&p?vVCuipp^c;K84VTlI)3?&-ByHUMFWcOuN9Q(4_{plCty|Z(W zLvgp3Jyd}1+uDptO-?3AJq5`-;72(ps62Et-#li_DIJnOV)vr)Ri9d$UFfe97q)PSeNg2!3W>3M~o8CpWh&pJIH;@m=Ubk54 zJN!H%bW)aCv-Xlrixx&;Y%ybvR3BD5s(9!BaWP&bb9lL9GKK*w?z0=Lv8sn4z&MEY zre>`%Go#y1#pYhkCt@AlkH2nSLVR5LBR*zbE~&$uaqbmcH7F6jctIV{T*oHk#tlLt zkh1t@r$KqXKO1z?8q9trnWZ0n_G}y{Wo)rI;56U%jh`yf zmr9BLD1VSEe~1Hf^*Zp4l#$gjX_~75k{;n#S+q6fC7Ve8iMQ6@>*eZtSU(Df21Tc~ z!!%OuPYB1T&pDNiJRh&Ku}8y7iZv2u19P|DT{=;ayBfDRtuxv=X-?d`_x>Sk_hZc$ zp+YZA5D}R6`>~vvFh&(yg*|^wO;B5CgYKnZ!yE)025tftuw&K1g`-Ji79OB>P$<+u z!g7urxy8X@{r5qps{vPPQV(ns3!MfZhMSpuwXKnln`v)q2q@|}LCAS-z89e6G zC$1MFl*&AB6%}ihP_7Qkj~E~(xUBdi{Di@H+^wY6OSOsuKJ4Kx7nfYy#F*w@)i27* z;8qwhE-Y85tKai?KX%xUTXroe30W0^jUVZlyt#e9rgVQU!Ih)Em%skh3Lo7SoK!-E zFgv?ji?#f?alY3cs!V=7$UAwB`}rzu|Get zKbR_X;-d{sxN|}?!D(FrBL!a3HL+{g^hldmQJ5TjQDL<2xNAnECkGn-T}{hao^^$y zwT85(yZZ_KuOKSjuA;Bb4Gb(LWx8b9kD{D+{Os2ioQ}%4;854()j=Y9uipaa*d{hu ztDm^Q!eiK~l`2++-#f(qt;*tujO{;!4htWkXG>jM&oF*26XI_6TQi(&HhZ0NaDF%) z@ANYD?@xkF`Qmw<^Zfg+ojSMrxvLzgt04@-1yXY$Cmzxp`Nem@JY}DEcu9l8=+Eh!hZ{LnH3(M7Y9U(o|N>hkp5U5|147N@^|8@QoUUiY`ouJa#M z6PGOy+A#kAFU{P)l_0f!dRF&khTI=zWxA;9;Z3%04=AWHs;2@6`Vl4tjV+i4Ku_9g z|NXMt8fh7S{AVHGJZuPmhakU_5b##$2}pWl1_sQ)TCgdky7V; zxFg(B+C4}4Gua{_7#EWMwK*?+x^~8Y(N7Meo<*bz&$H$nzIuKCM0dIVaie^yX^-|^ zxce_h*S7TYmoN7=C{|uJH8=mB@3;1!eADvC7wd^}Hfp=v-QT}?^T*qy|A)>k!?&O& zpw$?tpA?XDBFClgJ6hGv*G&1E_D_!cU&Mydx9=SvAZEPkE-wF{H|X2ks`)k$PtXG@p=!1&5I*FF!~rnsQyR4s0r6}((V5R7 zt*5&Et;a9Q3$Fa}BP!e%OJxkHjt(`L2@lLx?MPm|Kt2F^1y+C($AD{nM<@RHqh3kC zDoF?5irgu2{H12sFHix0*FYCf>O4O@(11*y^TNppPcq5+n}BPrx%SM zbQnp9REh-!nOtjIApH5SC)y?dMIhJtfwI#Q_jkp5@0e$$J-Y4Qsv&(O8y~v#9Hla| zRw~?|NLi?Ykh~)MD5-lwCf*HM$i-%orY~QvQ|SmG>az!ASDqPVZ38@S5C6H}4&pGy z$;kYBF7G;3UzgQGr9o5o8piJB=0+|Tao7A9vG{d?iV;L4Op!`FL*ij};D|X@l~Dig zO^XBq9hI)tW$M0ebb-X9M;ZhH3PwrgJ68UqgF+zv!}NEesb)&nq~Ie9s~Z<1I|GzB zY~BpT4LN_#Bzg(ge6#^Jz?t`rkeX1%t`|J9O)4SakXPUxeZPb)h{bdOcBr|VU~aDn+qR;x7NpY|$w7tGdl zp?WASO(IDel@rzqRz;(MFzoexCs#q{`s~g+x1c2r1q|l%;>8P+VLq_&w=lyPMmIaT zx!q*rp>&Fi^U5SGJ-SNoWa#bfFP>#^oI-`n!-veQ*~vronN4#o<89E9zWU6Xj`7Ri41u%};FOdUjI>G+Dbock z%TuUe!}j_cRI#*=9}AyJtUO^D6^`xEKwk2RDj~~aNcWfx`svIE}N_n{!F0^k?5_|A1Y@lX1*&Gr#F# zn;jgmvwRWCHSPgJgJ5cb=ryljBjTN0aMwRF#u5Wd>@~o1n4KrJ0Lpnimq}Woo@nYJ zXeq9GsG+UB#l0c*=FRi0Dd@fnA2m*19zLO3J6u^-{mTT)v?+q}ILl7W1k#|Ax({#P zLaRV1@K?Xt3=f!jdaJ9ect#`TAMhA!Bshd=K;ZO?WtIb_!B_RrN zo-Oc>|3PIg+M#|5Q3zD)!~6GVM?G@U^2ETud|5sz7`X@88}>vuB@j+JYm)qBIjeCI zm^%NSi-sy|{?t(816h_<%_Ft@w=Bj88BUpS>LIO2S7#l}It@2aAh+}eV@j-y_EL2? zV_ClUc>0ScPt>)v6ziW`=ll}hMp8&oXUC3Zr5BXTs3EWH;xoNv@3k1A$PkW?>g?JK zXl%act`li2kKUC1Acd3@N4FrgdS$>cegr)gxRQGYIA4XBRE^Uk}Kh zqfO}fT1qD-3dHNviwq9T=e~K~*u7gM^kLqiF+1m--I_VK$}yP&0^zgZ;X{-}35$$N zuL!G#BwJ@i1r6Ch?8x&Z8VH2$%17pc3wqD3 zkxFN;;{`<|OHqNc^e`}pQrMgz_gmZQNl$4^|MV$Q?KW4M8U5Eix-~4t*V3?-Yudy? z228!!twqkduk%>3EP$$gZKbmag z4Kc&>&6Hf1$|oL~A(y#tn84e-i>eb`K%Le4tpf%O^%7JMEWJ=2L~7wve;+X}UL6(7 zw~^)R$S|DX1wLF8HktA53Yk zuO7UCk8bANpB>IIL5wFxqHEF%EWh8_UPUu$!r6Ue*Flj>{)ouc&o-;0*eWVYM1Dg_ zeaDW^sIfW)gQpkWxN(DqHWYt-d+x<1-TnJ7m#bU!yb25gTS?w`_3>u)U;4RFhfhfG zU;gXH0L$%+`$1d1XadJdsHWiYxT?|R%%csEmIPo|>g|0%GJ&PIPGMa)@d+Y0K5NTU zXt%5ii}|SOy}A^ig3O!Lweglp5-9QTW5fk&GL%gf0{O=-M3k2|Z`yBX&*mTkh!@d4 z{Pdl0Fs7MVN?O_j3UH3CwY3w59ig-WfqioP`Fr-l2AZ(QNVL*8E?64s@jBAo7Hx6# z3owhg|A235ttvJ_j62to3>&xf#j|I}4s2B1haplg zLQI6$Lc8zR{rqofY1+e%%nJxeSnMg*b1$CVM336pObQ{m=x=vY-#t7`sQ=R7^qxjgpRfv3gA({yza zik!@^j`omxXB1snS~_XsQoru$aolr*G3&G43R`?sRr*uxy(G}GU>d6Vf=6wB7BJ><|C@MWQtn>1%}Kl`LzOncnmaL&XqXGUz% zIsAP+oRoFp*wObteNr7z+D$Q=I^L8iY!lV85e`S_1?udEc?YGLFhL;5_`%YZf7+V7 zn%V)?aBgK))fgV%PF!gf@P)yN=V0Lb_3f)RWr}OsTA2a6WsOgUT`lMoDIiRZu|WXL zIbxHvY&{7sPoZCcx;O`dHYX<&K6Cj~k(NpColz|t!y8x3kze7ysGsS+qS_P1uaPvs z0a9mCE`eHKiD2==2ixmE2{P-ubgF`uur75m^A(V&kMf5Q`&y|!Fz_C~6W`E9lA-4J zvdH#(N(=(r9LW~y;N}Mz#?T3Lj+d_*)kNIQ7sPINbJGkpHZ(#ANGa#N=YaBNYuDmQ~yvSr%f+52C?=U;JfacR_h`S9Mh2ZtI-#vd)?7P1T@NA$JNV zQ3!F9go2L-YZe9%A&>`Cn&# z1L7UE#F?irr=|+;J!csYFT*{tHlP>^um9q*ccjrxYw$=zLj#yuCo|+8>N4*%Bqj#fjX^Ci{0B762bzNA@ma_nW&C(C8u6`F{u}-U zQ|DL*l~lr*taYOmg(jR@r+Vf{_L-~tc0nv3*~I3_yX#|kg7*FU`w|}r{b0pnJ3(eV zH6`X7SWDor9PI2KDR|2oojuC;JiEn#a-WsnCb*{0qaM=~TlZi$zKV z;7>_Sb?4UY+NJ8e6NyC``rzQ3H*dCkW|Y*u9&Kt8_(%>Y5nU0pWJ1&gAT{|UNzGI> zwabD1Ju|4?M@5acL#tDZ!hf<__m*W<3uxG~e(%Y=ga?0$wKP)Oz$0r&r{B0iS4^QS zxCxf;#fz}i^%cca(XJ2Z+AM*WyOyw%vr{uSO;eLasie1alBk}D-N2<;r^O5WG6$49 zr^F=8TYBR93aaoU4fm2WM}&kleEsGo-e86)(6x^0$!--vgZ)E2)ZlA<<-`M9-$z-M zjT?q$4xk7`!5QZr(|uU)9<_%NR8!-j{?5gu*-Nl2tIOSc18v}F($h;_Cgo8gQwUVi z@tPQ%A0Ho2mPm@oJwWC|oj+b=ncV!vt4?0cLPBe|udrKn8ArkGpf>nr@~!#`Cry}P zA&{`gW>^&zE(P3-Ta}IPQG(w1S@q0^5B3+k{jL*PK;8hHr@PBH_IY02SCT6X>-zPe zmz-jY@{a_z&u`fhy@tLWlH-X?ftho1aKUv!LlRoUuU~gb zPO|=^yuzE~|I{kf%tJmE$Ifp1&G z9V&J?EJ6E5q7pPvCthHog z7mYWFLwtBb{_dx34V&g2VZ+JOrs}8$Rpi$F~NL5I<#8OEs&Q|Bz%=Xtv-ZyC2-1AmgzAh-6h;M3Tlwr<{&5p89oYR}KD zI~x@>D^8Fu>pJUahhdx{ng^9oAE%^FbTarz_JM;3S3c|^@SgM6ns%`!6b*zJTqB4L zkLaWsUQmNBO+FwwEiI4-(5;mu=te^zP5rU{b@SJl$4DfQ_Yr)!o-_odrYibAc=!2= zP5<;YNZhd8zN-Tb=d3cpyUW^$9NT7LZ-0r(tzisT-2Ru$=4xuhQc{4Qst07I0WbF0 zOzP5a6;rttmTUw93y~j(>Any-Ok(18AR&Si0w0|o&la9BRiws@A0n$mUXF*4z234G zmwJ`vCv7{2!e_+OF7nIb`ylre0JGhkoE#&r1m?r0#h;Ifss8+VSyxT?V91lc_Kk))S>PR<`*W~Gvx!2 zcM!BmoHuz zR90k7EYCk)au0b?f{2-ym+tnV+#O0v)Osx_Iw6Ke2E5`W^`y|4YXoG8fw_i9PGsJFvE zr=-BiW$%Q11Y-!_LfOjD!E0yF9+<0~VYEDa9=kc|XhxQO z5`^@NOTLc z$$Fm+?JMveu&*oa_l^`E2abV(EM3DET82eI{!*RwH?ZEgQGsa-S~A~yl&^5q3@^-y zo(M}j428lP0sz4u9*6BEJU?X&Ufzu{Tl5de+s#y2TiZvVa}984HPg|}?cTVuOoz&? z8aNSn1Xd1rw@p=BM~B(TP-g49PlHyL?#d_xo;s*aoHX~|vKTXH8k+=&L3$Ku2o&$2 zS`R+s3cr2-o(=$fR#~Qfl93RI`aiMJIxz3#a{9ZSF~!@x4z|QuZ#cef-g6&iX)*`u z;a7HvG$d2U4*fNE3*E=$n@0GoP^VF$PS}|_p=0Wz&}Vlmw^{khCoN`4<9{qk@eZx0 zOg3|NrXd2ajZ`zHh?ZVj9;**>jfHKs6FMb(h&wyfea#WAcJ+j^SyB*x&O1=Wsj3#e zcyS;1z9J8qLD?z>vS35{GUbWKOD7ifwR%N^BYh-gGj94RKcc7Q#9?M&nVmCfD>^*v z>j@nC=^s{Pu^3b9@=TmqQ&SU;&qQHaDfbx11Rp}%t5AWad@KI(qelY|&yHSWqatay zn3+o`R#%-+n|5+=$8jH3A=kMvnhrmt5yOH7kxTG%La#WSq5yk*wRgE}ql*^e3gi?( zs`|wL!`z$4bGf!{-@jF@=23$*(4dq=8A>Ip)r6u+G-^O8O`4FYQAG)1DZ^To5Yk*K zLz5v%nHngBgbImde7@&TTI;&keSPlde%||i-q#=3=V~R+-*FztzHj@sZ~Jys9o-Q~ zdLx*|!GP->m4QW>@ zXjgSVJ##~94Fq&mRoA~X)-<6sHrE4)v+Z45zt#3YGOye=0A&r&H!kuQO)2jrE)*GQ zr{SH1^=h9JzvP?&g!S!=;DJzqDg#+uWhFZjmc#mpeH&41(2oi%)(Mz~xEEC%1P=m~ zV=LyM)3|Je^v`*wFtdc80Q^5=H>)+0_TS4C>T09&F{S83-**V^Q6p?YMMFldL_>8ztMdGe>vpK(>W zqz_pW&;p5N++UQ!De&ngf$^fE)HF+bv$eofC{j735S5Ls%6DroT(WYd*Lwmgn=Np( z_MKDy{+|)a3Z2;U!dIWFiF{0pm=C5{C4z3gxy-nAxm)52Fx}%1uazC1$veg%_Fp-C zHc$;7FLk5X?H3+_?ECIU`@cE>vF$i@t@lnrt%Rz9Tmh?PcJ-0aI3anV?cm3=EG>gc z4#(bX{#MsO#-W44FQ54vz#AWNPy^MvrK9vwr6-?uF>a8!9^)yvO<2HY<6;wmwNHRc1rd!+n!~}<6#%{okyLStM%sOvb4{h_Msj)`CiB{jt0w57@ z12=IWx^~uyidihzFR&N=PX_>H(9Ri%9E52T#$h&FLyJ53u8t}DeB=7{VdJOUbYXJi zmmkSE0JSKD1A2cH0W~%1ZnM$VG7P*RgnD&&6Qh$F>gq26?9ZO%(rtU;7&EAgxrqtN z>oJ0Y=-0LTkMio++2$IyXB(V7+CF>p#tz~l-fz>+1pXx%!h4evf2rE_~LY<-n3Qk@nQoP&9OaCqif-aY`P z+qBP(ymj_!sxuIm9)aClZKQoWx<}q4q;ui{eT*{@+s2HE)f5VPwH8Qa&q&SLvumxb zC-iZqilPV8H=qsEi<|-$qq%4XF-=(D(5|NEt~++jP9c_}{Znaeu0h3yS#B4I=r%OKPJKUR!E3BgE!DiMvF&z1aQcS z(>`OahQTbiG%p+@pq8zp-Xd+LhsGoET|_Hr21W0yuRh`|qT0_7`!X@}C++Iw>Qu4r zoWbl$LKFOg=eVJxiy)&wOFY(TVFGbLbl;d9=o^>eJzV1h-7d}SQq!G+MOI?0zxViw z6Cc~joJe$;<9RITm-A`nYu)iBqL&K@@hKs|{}@mbmG|agLz@6_pyK%q4i3hO-oz{d z^RC^ynLHx*EL_+#C+T4Tzm&7X@vN}QUOx^)4y=P{I9$6{ey`vKTHru!jCRbs9htrc z*)_E9Mp4*>prClGu1`q~H~0L(4C8>V9Jr*1GiwiiJq|gC(woFRnQGZ~b<2x0C*yFa zsCxPxgHVD>kaCzaKKiUR@_kKB2B!$FB>?E%j^Dh7hI55c8QnS~ea7}^UN!eK1Y}lj zN;89>UsSZtytA?mmxozt;O^mA#XKxJ%;HNNO%zU{u`lv1BTaM=W>P?|(a0X{r$>4Y zBa1VHZ_-C3>ieTIjg^_;_mr0h$RtFww-(7GMpC-wjx4?^fW0-LzC_ex=|ws7O0_Z6Z8cy=XJ+U8s~gPQhK+3%mbm$5%9AIMS`1&q zZ>%e-ImP6pY4!Sgn7PHVS>6zKbRt;pIXtLlnma)vf3yP*z zqNMfwBGi`p33- z>2Z5uF`20~7k#&-hdgWP!8p61_$B|w{4R5M>Ug2K=y~+(T)S89su%xhwAIwZ=RktV zPAbFq7tw2fo>#o1mfLdP-=vJRnV0c@psxDcvWHx{QgHJ>wP^d_a_9T+$lb(3tQ(|B zM6StZx`C;JC03uDo82W5Oi^4}S#en^q_5G2E_?lr|I$KMy}`j#eSlDp!L%*qe$oe| zJXKe2`YH{Zl6tE}8E0cMV2oxgg|5#W;btd6yE*e80x3Tq;98@%!*@w35A-mj8`HbZ zwfKh%VMYwWbmn;(psMl`&p4&s!+e;?@x@P*a5y>m@&As1?%&%TE;3s3CF{TGlJ>u4 z3HNuo=HE|CkDd5wB0HxEPXGb>7ZyIMX|)3)bhyW5BMSs1km7&-dGFJ%rmv=LX1@Qs z!p-sx^%I6+U~=gBjt8fq@DE(Te*@(Z{)FCqWzk>KKzEZict3mG%M(r)<0>RX2Du-p zH2p(Q+WdejXLQYoyw_JQ^mJEpOfWhmvg@Az(M_jolZ=wlWSVcO#@CbTpI zwm=5~^q5Hai_lW^MhC{Jz}mrl^JcFH3XPM^ZFgHfTA}y?F%TIAR>c3rkkKaM_UHKS z?d!7-&I*=yjUOt>xOwD)5NblGGP}dB*Y@hiecF{2Wpo=VHZ=SA^^UfRV)B3GQY%>r zYrzsjN4baRGFR0`ioG}VTb8`oY)&I<)YGh!&F|P#Q6e2>$ zl;7^Tg0(2#pvd8M16R{@2S*a>QS&oIxThv8d$WMWVfb8HTRtjWN2w9Wkl=dzF(=dP;)qXLtIOm1c&8#xvv z0m|XqCu){IfRV?@tk{lC2A93`SIti5dCGyfapAG{+FCOJOE96U9kFTwrg_nweh?({ zb^`4A0GRo~FH;Rsornn%g+8P_Oa|C`bhH79u#SFuL5=-11^cj9uSObTFxaI?dOBvdqH0b5&ZIc6J~p7XSq8!C)_$z01%J8@(5H#eHh^!tRi zG96r~B>I_`CV&rXj<*2BZgkVqkO4A8Dt4!GOEw#Y`Cc{{P*%c6>`ZKy_9cR14g+(h z^=G$ED5{*f7WXr(r#N=Dt!lqh(Z#`YKMP!7&StxOdA_k|-arCWT*+jqrPtfo+FI7p zcscQ1I0ekB-M;Pab57OjW>z>HiO5#2WiQEHdS$^ng@G3XxPJ}A0OOH=2Tj- z#fA;A7$jU!ZQOFf1O)K0d5DG{_3NS^ViwV*?rRP1@tdfDu%lq;{VrZbPz0bs_-Kx# ztyOt3>R80lWNZqGvt4NZaKhljge=-##uvf3{U!~GQhveKt zNTDae+>PGcxjUg8#*MRyTB)g56ISq;T~96MOQAb?GOk_J#r!?r+qo^F^VZh@$E;7s z#V2cG4HY%fML(uhv}EyIh`H2Ajzny%Xzg&#A+GUh%%zVVJGkdGpDxtbRNb^o7@zhT zbw!#rs~_`YhsE9=&~+Ax7|k1618O2xPAnV~M7fAs5O2|~ql{zC_mUlV&F(C zC2~1>ZhG2>rw`%3Lh1w81;JF_Rb0us9Gu3GQ)8ph&c)zpH35MF2+n>*g_dG*c8IsiqlzZTif>aX3BjphJ_`xrx`GA?AUwzbZy(G&YLWrc?Kv!d|q2={(!2NRbgji zz~$AMM;!7au9naLZW~REqhuzP@Y0bQ* zp%N8qNi&y&59|ADDn@RlsDi+=oQfLr_3Km1kuAnX^yu7nd!+A;mi^Sge@I&bkm@+(FzKXZA5l9eo^Ij-1Dldk*eU_ zil!2EaZVYNIxoua!A3-$f}M!VR6}Eb@m4*LJ88_AXD?qSG!Bz-Th95&w9;599x1fP!84E3e{?>Sx*tQ&;z^ej%zdR@<8STf zWav0!WHt=7JjeqRKarzaOS;x)Mvt=pNlFT%^X(;q4h z57@sP>z#{~GAu>1S>aM=*mIbBkYP5}Ys;&68H?D8~(R6_>mE=#b3B+-qB zNiJNy_0sT2Q*<17nNd@~OU~ZzS^SDmj!x;}!!|utXmieO$x14fD0X8UOiUgcZ7;{Y zQe#{pzqxtZ7^4(%&16MHyWRK!S`6t9X^Xk%ai`U8gpS>nE=V}=K^dUA4=n;`g*nO> zW8G#8lBI1!%fD&Myvoi#sW^1^ZTjis6!vB$Os5o>8n<2QEqLGM`%6L;lahV=GNh}z zl;`>(-bLjM?Ll~OojwGD8D;?waON9loqf(><>?sAsJ>a#1|pl6Kny``yZjwdgh0Ag z9Ve#5pv5wW>3<$)P)lBNe(lHf^j^-ojxlRV1uu)&ZP}u)>uAb7J5Mcq1i;)^PAsG-Z(?5O!^?Q0f}25k9DHK zh}sJ|yN0xbz5O`Nho~YMh9oDK+eFz62%9_cBU})|{pI&)SG-9psx00pYMhRHC8GPU zy`(A%`kXh&T}PjnJ@_(c`k`%W_5G#~!DMfbjm=9%L3`J$<<&V`GBZgYig8%In$}MF z=g)vq5)FA7Z3(KE8#nsEe=S>vlyE>;%%N_NHs2htrbg?U9zXnJeaMQ zyRIHQQkAGiuN6xq5}QY2!u7S=I+U+72|JAjbeYkg^YF5FvAEP~?c78p-KzZn8~jGg zPE69ceK!y+go9fH>pT5Onz35QBne-H3_J&|t$p-@7~{JY(uczP+7VoBk5B;$+MzaxlbD}pOjk<7sEwB2 z94}!Ih0>_H+Qn;RlTN;HR*H+C3-Mm_#}vCrWO_3zYULIvKwbc7lLe>aq!}=N*Jd0L zDLLr@amJ&g{mWk4t3!BliOrfd*qeS8qcpgE!YGk=)fgsAlKkrz5BJtrOrwu@dDH`x zjv&`jQKCFcCa8YD9Kz6dz~a3DQ*(Al`80w-eKAN}n7G^~&=4hTlK>|t5;Y87xe`PpsShC7!1R96+c>$M8 zbJ$=i)pH}pvC;C8?P$vqdK1^*h>pH!kn7}e9?n|+>RBl5wE+_5UVIiYBkreRfQOOo zjvsqU)HDUzY{ei?f`Wqs7TTlAID}Bobax8-MjxrW{Lx5vT;$N_v3r@+Z9$V9aZ=r*!e>&t2QJ+I;i0>us&0 zbh6lFko%E`<2+n>Tp(*86HR48v^3J*wCPh^+@T7;8WJ2?=3=kt;Z6_eilR;5;Y6Ry z>tWt3_v+z2{W&hMpp=7YgUye=vS3yf6RXAN=X_iU64dPZBgr@#$BPB2D3BOuYB45S zM1(5*LfelB0SKj%0hZtS-L@B+O}ZFVX}mp5#F`~K#F(lDeP@yvF))~3F@@&mW`l3kr>+X;fG*Lj${e49%RIPym$SX4g~2whr*#|HMB{Qg^O(T;wyyTxjB(nVGyE+Ed!6Ize4w?lz1R ziz+WC;4^5uxMdsVOcjqE0m)q+t>Jyd`IpneXZu1{lYddzq4sQ7XcSN}`6Cb>f=Jv> zhyEl-p%bLLp}*pCuSg>Z@zi{mq-&Qh(ea>U4mg#qLsg;~pw!3NvNSK>cG2l;V_oCd zX3GG>Ow&EBxzbQqwV&rUBeSVO29A~cdB!G3zWEF&=3sElrw>`J5&j!a7v$ot>Kdx5 zy~G|CUnN%=aKhp?tNP5Dd2tofG8!6;OL$JK^EPryHp5lcEqeHiU?T-ChQ^J$bYpB0 zUN;sR?TTt^Prb33w~1KCvEzpdAG!;sqCmZMfbkXUp?d=mpsPWZxuXX5(eT?K7~Yp+7j zzJj1Tw^OrkCI*CxH?!Vw#hI2CqjT6fR|MVpJ;4DZ22d3O8Wh2r1FsE_R3z71{t6ts z`YLSs9m`0L$~c($&TW_UHR%E1Mn5vM=;)88VR>Z2VK@etF1kF{wT`xe@d)i?-a5yo z@6y6{K8Y^JkAKM?%jW*|=jLwDU{T&yT#EYL`JJ&lnu{pIY59ts{TMx9$51b~X=QO} z^;FAWqgIxoGs01{)WBvp0XQbJRCn>`WF~MGT+kMA~ z;^i<2wq1{=O#j@Th#Z%og1Xjmf7$GrNgygbW?4)yxpC%6Zh*szfa+5G!gQORbKyE* zF;1bB#G`;-J??>|v}#`mTU)`85{21-0T$-wd2XW?)1aU`!Rx2pcTAT?qMRqd(^|XR z{ggp|k7_PNE$>yl@XvXNKkwJ)nus)7gxK6A>6AwyDW@wdH5!0=tSt%~;iO3q@#v0T zKVD!sTH1snt$?J$3wTETuor;SwsFh({9TnH|c^A`Dh78;QtPxXrRA%G>|1k&kr}V34KU*4o!|>Z2t`ew^o4h4|3d&GS~XZ~xraY1P8g5YTqaTizwN&vK;BcU=kd=5YU%pJ+8Mzx*MY<;*x}3|Gg` zBWpAlEr^W4OpD~dY|)So;NKhKz@Tr;q4 zBzqDmYr(XH-n0@N)eon#s+`9g_=&0I!X3Lj|Cy$Wa7{RFQRY z0&0odUf@@HdKjyddttvJGqDl_87-3MtpnHM-u8tRqs=L{)De#meg2Fja?WrMC_6@o zSe1Uqm<(fr=hxbMJhX#D%nlE+u?*!Nx}uje+R7ZiW+GK$s^MnFy6g0h+d{jSN(Z5{&st9wWt64MY2c0L<>`Zh*+D?NTb9L8vHrBB%{fjECzo(E!a4)8s zCqy;;TCYJeCeQMNcrMFhR|r$r$v;qHlUr%&;NVK?7du(|CBaQ!~H; z)6eYe0RskLRDf6wX^uk|Enny_WWPzMgP8seT;P@@>ute67{WHiGty2a9?|rz*X-yS z*@jjASnKF|zqIPHx>D-|=1V${T>5MDv1>9?6?DAM^-h$X8aKsU@b_V*l*e2V1WALlp;4^R+C2LulEVl>|A!M$0}Prkd+N*XameTacg6KZp(Xm8I{mu}wzOxyQnSwtfVD=PTyedr?WT zfY_b&dw60sRoeW}H^6wEt4Cttb+=+2*@&gbvktA_Q4BiM+{ z&TV%6HtBhShagiB3W|!4#{>&BZ0?Je1Xr_&(=e!edrX5BhjWs}=MC>8C>T&J3&R#- z$s%3|w$v}mg?piRE)unvP#FC}D37_b9Sfc7*HIIWlMNm>A(7Y)3Z`g6fug@UytjgG zT;+OI`Au*&U2zoG%q{cigRdwn1qH-^EIc3Atvym8zxDoVVW2CnR_;5EoAteGa!gc1BO<)-#DTf- zt*R475$=7Wh$V|*!ugBM2p-D5UCRnZ+^3KgPX;|rP9Df~``fpSa1qeON;5JuMAv0! z@HOMvwHt$nb4I__#mC|4_>xszejKs@qtvC8c7*!O+C?e3xqp0ZH6bsxN5KJ-TxqA+ zl;Hy%OidqIt->R`mvifK?{jVpydtaw^Y<++!1_##^*4{`wFbLf*z{)OWA@o7igKVg zD|y-IqqrFwC>V#Dx-|iYfs&u#2G*}%W%|H1Z`U0nUV$ZALezvWP)x1{s;^q**t=T> zQ-Gtpyj@?<(t=lOnd;?M8m32+xrW+EH#UHo7yy)IPl02|Jjv&udGYYRr5ex^F0?SSy;6KD1y5N>HmV3xvOw+RmVSDOW z&H!go`cWM(DXe^>ElDLaNlQzqSI0+dwh`C^0}ocZ1n9QSLcJs9lvcb0!Lxk1epA7Y zi46j#VrJmDYPYpXf#lousxVwdV&8Z$!_SOUGxTQGK=D95uvc8_JdzDakrR6;z~t~c zo;{1*E_DH+|DhlA4(7`bLKJ*Y;R8Q)P-ChOn=Qa<;w#3YNTbgs9cA<;)(EltE{|zy zda$wU{%dXWpPMt}4n4<26ZMbS>OW!Na#t9ODLa4AbfVl8#*8T7cu|k?D;Q2$E7{Xc z> z%8cmV9wX4R1Ho?L?>c!r*N&^F%n>TqPP4Nh22p2GY>(a~Z1TQ8Ho2&NCsqq$4cp6? zkAzF%sMvG@(S_;+(k;hT04#+?Ue+hGKY#N~hy?a{=_0%vRTQ&a5f?&af#|Cee2RL^ z$Z<<4TDD}#*goDINvCOp^_1+#1f?;3ZmKZw#AWX;y3y)V`-B;WHd2*XD5!Rh?8Ik7 zt3w6fmXqfw^JCVZD}o#^cW9z_#R9NhX~9O18;!V=iDh+4VQFq3p<0*c{++m5cW&tU zXpBgy@QMDMIrNPPnUlN5xF!`Y#puId6@S_>DB_+Dt66PwZeZWOW5y}Cy$v_8)mDC= zG}>UMm3fD_E`~GhrJ4#AyHi$J3hJi(mavq&4D5wr?~51AX-T;X;3u_shd7_VvREun z{lyssK9DvPcGr9^IN7$ZuSbFqVyOyU5AKBQ*q9In4mtl3(8`B^2*Kl$w~~U6F0HaE*&F zNv(WiyBuP)n#h)%TYiVsMKWUz=wlF&z(SAjEC`{Fq-UcgE_q@3Yr?+P!K?B2B&4{s zWe+JYKYR%G-6S|k=G`p$^vSbw3GJa_jFF;BRT3FI%gprRN()J(@`oNr&|61kfX*)| zV|?36MK;dlr>~lm=DL6d2fyS3f`ugr*Lx$hFbSo$zs3e6{+eFoN>a(g% zpV}Omy{bzm1PWGIXuwtbZQ8IQRZ?M2it^eOp62h$PA)n0kd}$qxqw}Mtv1Sh&Fh)` z&6Wg(Z&T^T(J-7eX;gkS1O3@!P1zO8?N`KA%j`O<+N#rk^;u8d~k z4A#g*FR4izuzh@7r#M_lex;?Ba|rD@WlhCdb^Z7LxV7}`2sst8P_%!Yci$kJ)vNzx z9<5`Yw^$#ReE2r;FWF3RU|ROHgvcOVW?-THuUem_4dFPzv$ZZ?m~v=Vxc!!YwWX?x zz}%HD%R6^(-D1X?zC}V`#i8H3y&bIm524k+cwYSncdvhFd;T)i`X9ci^xuoH{&^W@ zi$ae{Xf9e}&whVJAb^e~%HNIH!`>!4aZc~8x^($+#kz3&F=ra5H4BK;Vj5{sK(<54 zD#=Bn`?luhIS&s7$#+h64Gl^^#9mLI5VGGRmA-AM87Re>)S=_4Ftg|Bzb{DRVjQ8Y z4*$L*t7LNR^nYE~#x2x!$}S0^mXAyqQ7wQVNtartzeRjI*W~bzD^vfE)Rq6Y6@mYm z&M;#)YmWEIjvYIw>KWeF)a=*ov6}-)1cV1OPF+F_8Ss7Rc;%nkvnqXIl+48iiyI8F zz?zEQOt(>MG7U=iM*o%E4>@4f8+a&L3H&>NS#GlrOdD(-Y~$;>e)(UT!;EtoIn!&; zs*Wx`$88?Cf!Tz1{8!Om$)w0kg@l|l))|cHUAXX{>%S)r|%uf1q3KZ=&FDUK7W2nn~oZgh9z5x z0f^VHYai?y`}|?RXN^h1{kq(B<27eEWAMItWFz{B6Qa1Hs9Wt`)e5J{DVCa4M=nlX z5`9i?FWq(L*aL+bJsoaWTd19?*}V>{Bjvc*{rg*wHaONS{cX(g!IOg^jUW>NMx)h( zJvnF05X*12MmgNA*1A~?_iq$-4h2sz3l#t}z+xx1B)~hg58xMivn@3GL_e>`)FiNj z%+H{~GL_L>W5-$OHuwuj20rR>KZJ2e^s|_ZSDj=6xZ$n(+V~=uRF?g z$j^8GY`tyU;ACwZQ+nfzD~>>?@yuxKBhvsWQj>NjHhjjf0&F4r(o<$ZTL72w!5>X` zkrtOnagij|D&;521Mz)vF%D+(D`;9Q11cPuE)3Bvl8;hS4&j zALqnKHR)K)dd@x%_RWBLsaE>F3;7NLkW_W#UH9)##ZH$q+51EZ_qg zRWu4GJSnuSSkYvR=YG5WxcnQewL_-$)I=Ftl~z5l(Dr`AXqRF0Dy;6}otK1g&~ssY zySSQNa9pR3xtOQ61N`@WsM#(ujH=agDlCSe;$)vIR>Y)vfZ^2X55f|4NOU4oUBalqfqb*oiX z#R7R}Mpoq%f{t9}5Qi(plSTsl@PD8p|=$vTo9Xz4Z=g4$u zh?S6Rl_P`LWx`}VrU=_=`WN(K;68tU0friV3Uikc8{g#Q=$>}F9Ev_JwC4AMx3ZFu zvRqVKj!;1{v~zo2I&TpcLBkY{OKw^V9}_$4op?A83RMtHAubaOfk|`h9}{KqRoHmA z)iu~pa33~2XWG*RbkpF};O}Uu>X{*{H!?!nirr-pcL1u+MsXJ z33Lg%-TwR3qpTf_J+;NhsET7;xq$;0MJN0qhQumdrKF;!*1L1t!eNu!J0N*xk8q1* zf|SQDB!ww6f2~yW)-nT_nYV57_<}| z*2IDi#><;qv&m-8VsqW6Pa%bV(&{-wo1EZp>Ao;3Y}pkxld=yx0+sa1o(X+AIe2D$ zLOZ0kxF8{htsnO2p0WGA67=p!T9thu&com3pYVUnC^vGmZ~gL*SXhokzFDA{#^|cM zGLcEYW#m&7FpI_J^-`lK^ua+&&42zH+du2M<_0-9TLt^P{E81sxm!-COkhcl%_Ky- zY{%`aunmFYve~-`m=ZQSN63;%zHEX40XDkrU9EQOEG!fRebuAcviFCCyCPfQ;L@A5 zv5_~NciS3ni)>f6u-7#fIG}KgLrKX}V`HwkMb1H$2GJpQtYOE);<3Ak z7-D0a@5@}$xOC4(46KYt^eSlc*awk8$F}=9=C-Ph>k1AC*?WuSnR8KzN8GQTi^xmr z)TUM3_O0%TvPoApyHkKt4bViBe0s}OLraSxCFXh%vMF~auh{nZ`CQi+(dJrz<5f?&2giF@5vg%Cjj?^<3t~O>2ws1+Q zzFI>+Q5On!aJn8>d(k)l)pj*H`I-IKYW0`e-giTo{zbR={9=O2^5rOt#(6m>9%G8n z1XW$Fnk0I`T-~4Ls`o05B;ig0CfJ%iY;*!2-w``2XmG8JI6^IvuP}rnoj1Zn;n`T} zw$Q`qybvT0>V6_EG(In&F$8@*67lt`Kuw$q+x88fi5WntanetR<-0Cky&6;1&F%8G zV*kAO;!?zQ^c@*L4G8##AO`J$C|aV0@~{Pr$#ri(XYO2X2!oGjMqetR25PTaOHDXO zdP!xn>&}wy3M&&{n|pvi@1o;qkQhI_#JP~?-^>|+9|hB?IHoW_J|xL_p@wQQW}Jx5QEJX|u> zcqM9DRSKa|MT|1908|Q5 z{YSyc#$33)>X~qlC$t-+kFO755cqRr=l2aJ*)^s+dnD#G>G<0wXp;rIKQ zbmme9`e?7X9IQt)#Og*JWXfpE?KA@feY~iJ$P+mjU~hv!Uk;*5evf^Auhkpj_yMlr21ZW^8ZK^L1KHm<-7B@sQ49OBCOqTD)hCoN9* zKbba!dED4LGxuAaX=jvbF)oJ6Puco9Zr8cIQdFbc5&&Xz3J@7c>(f93nZ)N4^9W3j z);xddlTZA_Y?ST;6O1=*R69ombQj~FqzMcW3vv|kxVz6Ba2_282oR+@)$ZoA0c)xD z=L+ct;;TbAv+EMD2pehg5IROHs}uHr8q_a}i(5oR-AqZwjgU$VTuV!VJEk)66Ake0Y;L-uJK{jS1J{#ubb7$+ zWhmgOJ2$5hG-*OzbTOi0N(Biq;~0k3K_}d9FvhT9LrHo0 zvk&W0s!=1Eng(K$=FDn28n<*qxbB+~+sg+qTg8!}q_L5K7fcJq-C&wA;*nTX+b17H z=LVg&v`3B2=>x3Md=LihAn6k(RMa&XZzv@*${mwM;#$eQGL~&$PR-kX;_ardwbO?n zxx02$2DYA_F#UaUa4+W>QYL^_Q&s+lbGA;f$rRcD@GNBG*CDS&XD9aM#@Uf#jNra8Rs44pGP-nL;<=r(kHOGz}Tap%Pziu=_7o1^4xhK#5ATk`&%(HK8yK0ua^wO%S+S=MUNo9o2!)X$XxZj@`Fw zUpuMEHrEV#j2bcGL=THU6pv2b-*&FA`d9^pFmQ?A)+*;SSFSAZV=QAUh3+e~fFkw4 z^grzoyhhood=>w)OmRT) z?(rMagBhq|^*MzEGP;wcrK96qr1IZvF}7=KxqW+vYc#ZloZPyPFE88rInDZzb+arx za{HUjH*c@vW6Ce|T~M;Lulm+Mst&H{-Me?mc&-86ZeZX!vGSK+eks{~_M-q5UOJiy zae=SS@AC6iHfP_WiX?mN+qdt+1^H5E>62HkTmfG3HbWK$b(PV~E}hhF=uDTx&dy26 z$>AX(m!CRL987)RQ%>*eyE^aA11GYiSCMQH8yoAtd&ucme;(o{IZtbl(*y4Jeo0xi zr`p2j-N}9$R^@CS2?+`LQKK>%S;0k2X*zD&XEB!Y&IA+xpCM)6Us|=>< z;IDqlrT_TNxv_h%1ne$;5n;S^>8aXncd}x7nZJ8@r2bR3Nl8Bp*RI+d?Qh$~eWcz& zO}pA) zrM5A%{(B{#24;kjKhEwbd3lx+n$YaY?_<|IY|o3{66Kb7Y4rnk#CA)|3poGw$Ln(B z$dTH!XaBBhz97cF;ckSH%Bon$hYzQRE&q3@vPwQ;t_M*qV9FEl%bd%9s-XMQ^ z@}6DDswdto$(iBYhhg-PKR*gj_EoXvC6|v8VxO`}LVC!;o)Qvxdb4I;iYs2@$G{RY z8#HfTciitby}ma8?948G$HXQ@&wdmizwX%|Q}u#Wl$0V^;E)jQsEt*tsz1J39P{w> z=TCV>MUoN{SF9@5R7nG0L5$z8^gip${+Kai270819dWKQN(+4zs`kog+TLQ00N_i% zapGm_U!IcJ!6*7-38Bw1?QqLs(RdlVw>9bq9#dI-n8UKfb7<@4q}JJ6wL z+s=Il>6iCmkx^zNYT$=K$CZp$T5?5p!h~1FJGu^>xMr8uix~D41r2Q3hE^If zG68H`_PHW46a^xnfS(Msrr>K>Hh+E(7SZ(a$;)fwd4%+o6n+2q-_!5-Puy8T{78EI z7=c=P9TOq`D(jvSxDR!c`K-TU;Enr@WZE622TJW%F~`NS6MG(St5 zCG6L9pGAh-FdVEs5L$@~aD?Wk68Xj3^%Qu(&Qq@nubZ!xrm>E{5HDN~AHF2c7&&y> z32_wEix!=v@yw!fjESyQpR!&|+T1p`sAxRT`|9dCZ%~|z`ua+w>6&TuMmiIOHl&YGy7m2Dg4@u_FJHoB-rcpXj62ppe&9g8 zPCHFGVsq`{hzLB|d3E95l>B(tZXG)=2qyuJaZhl@kWRj3*hyVE_t%;O4 zxG`idp2XD5j5NqjdRY7JcZ6D1>f*p@b^kzz4FQb}b$e`<+@r0@!!tYT+-LNa=&GaCtOpE##@b$mp`SxZOF}CAM8lJAz@*QWJXsh<;>Yp&p2WF zmfxSBo#k}kKycE+hDLJ^2KD@{t$9y;R5HqBPA%X8$Mk90dA=iA@NlhCcE~94X-uu% z4%d5oJ!^GC(p*JA|KUzj=)J9qL**V`R=lV4k zS1PYtNX}s4ZFcA|Qc20MC>*4l=sv9Eg&t(yc&^hEIR^dFf>KlrIi;K}j_TI~2M$m@ zgsvgdt!bz-oXeTd$YiVf6Q`tWAB`eL$TOa1GIi=yVNEsy+=mStMwzuX{`jYym>9Xm z>uRe%^_P}jX<$&e>kcHu&>=%=t4igvR`n+U05?Oozs058`iqIr8M%_%3u9EnmbF7I z8j>Tg1NdPudG_oC4wH!%>lWLy1>=eA(_$PP*fbk6!vNtxxZ`(zhdE{h=+VQ66pNg? zZUfZk`RAG+>N=2wG->ze>|wfIJF;VB<>fbgDM(!Bx6|um!Tf#u_rot|?3u3>cKGmN zj&@?(m$C8jau9key26;TO>Ork$;^ux2DFvn(!e)C(}k@VW0W4WgK%+0zyrAxTF{iJ z3GO~C#-WMdFDEP8t5>g+o}Snf0{zKTu*4_5ye@n{IdUO@Nu?Q8S)X!3oI1aZ_KyNf za^b>-hH)K7vjhUp9Nn#-YQoi$RwYhqWEb+&k}a}h$8LLhX|<}f#hIs@F#O5-wAgU3 z(_*)e=Qa0~3^_Gs^)y@CdiPcTQbG7t0dDo{u&d& z@k5866#%8YRB2Z!CiwWwg9i^Ly9gjnDA5{{trAWQCdLzPge*RnVGU9m!3OMgVfUx0 zWiw{@0Ss2I^sgGNRU)TmSunfN-r;e`!c*?>0!fECvCI{7*mkcYjI|(2txvro<&Ie!*SYF= zAElMq>FMX*KIH|yCszFcERO@?3>H=ONq2qlX&3eF@&4nFYn24Z1NG!bk2a87Y?mAF zA~iHkWo1sZol|EiW%dGC7;&7aTY%ahj}Oa8A<_28u@}k! z&lqUOgT~j^Kfh+4rZMD3Uit)-Y>Q-=T6)jep)Ohllq zRdOLHRY9BYg12n98?g_p*ZqsX3*Y%0P0W)BG2#PxV%>)v%eM4>HINy_iu_c8^_U&t> zAKAs#E`8V-+nRD=!#dxW_h>$f^rl^9wEXpit#`L~OS;JICE)Y1Yq+O(HqobfTk#vH z#JEG^!i5DMj0{Mrn7Is?kcxh(JZ4I$74?Lkj?U6+>*r&)XVZxmA2FYa5NWVmUW3F= z8vvfS!jdyRXKg*xC$7l-r9c2BpHxN`Msc;myb#c8HCGZzF+v#ZG%cEZDBp`l@r z=86*E;7-$53_-4M452vq^%=EWUWhaVeEJ0M;(yW;lH^4|uy{HZyF!dz&_fjC)v4t#D6qL!T}$?BI-=bOs$e6gV|fL>&Q zqsyeNxv^B+$kuuj3cbBwWMnYbv+Sm52`j|_Cy08MtMugc&jzh^?w1+fZ&A9tyF~9h zu!3x}C_lIfUZPL^3KbQzC-aJy`+dSx)HCMnm_JF-!Q~Bg-@JFO2aE!SNjL^tuRtM7 zaz-thKmYmnkA4%T1muKe7aV6n3fzJ=| zK;9#%;TUr#D0J@p6nx*&1b*wD%Rx)a~1^kK%OudB?=~;{zwHiWR*I@km?g zEd>_5f3Q=yhp(q+;9{q4G8d(TGhk*C^`7-nFnZRwu;JKF=YBh@O->8dXbzjx!T4xN zPE6D9W7krQEyf(!&k0CewO3z9hm!e{xMuQQ-Fbu8^z~OhcaRFI?K@V)1cjlbHI(j6|gK879ZK1DHw(wuUpo+ zpX%%=Z&1z3y3_&M*=m(QVLA@sTT~L0k`@+aZs<(2+-IvtUu}!HqDbP=#0h<>e0)I< z;IKPYzOt9&SMDd>%zxp1`$M{1=IaZZ*Gd*nq%;i<9ua!f#O~W%I0q&uYh(NG>~iYA z{Lp@{PMRG#kZQ7FT;heqbPIO_kC0cgp~Dwm)m}XJyqQPXsX58Rm#F!intNq~vf62r zjQ{t)F->pgv3|X!qHZKezwbHPg4eeKehi`m}-A z4BjK!gOapIo|yJx>jj)BnG=^#8@9f87m~o?pN{k4WY3EciS9> zw9>G)1k3GFxfd?&B0c$b{>tIw+}Ll|!N8-J-@3FteER(P5G_i3e7mwOi_OpI%>d%? za?-U)*Jyr!zMD_Y3~KmIltKk%Wiq{c3%*YFm403XCm`^Fg9k%GpM2K;DC2SKe|AI9 zUGL?q@&B8Xv$nDsHY632Y#%2luefV<8AzxD!9wSRVX6mtJL@O9uV&_H~GU*zGIn>x5d5*(pH1z+wmaEp|8hAB{61M@A+~ z%$R1K5OQtye<#%cOE#!DvaTB0kotg3$wHxMVtU}Z!!jpjSU&v0z-^?jT`+1vch?L# zqCe&;uq;HN>J_#7c8*Pxpv~A|E?~0Q-p?|uiUeUiV5$hbmq;!etmnc;9HnSSi)_&6aPiN zGFmq-xP=M%V-|>Zf4gq}6hq{leZO{U?vgZN@6=N99KnH>|2dJ(;p^^8pZPx+oXKk4>@G9JzP6qW&G8L;$)6?#JJcPK0;-{+m^*8s# zPm8ywZC<=>X|U^D;PFHiDo8krm5XomrHOK8hI7HJw+8q;v=s58n4bkeIfH$Wg#t`DWg`U%ykd zQULEOS4#KlC7Y&VM3AU`PPv|NTN1Jzui~9|-hAm{At#eun3U1ZfD5BjV!_NA2gkvd z?Hp~jq!LA{sAg>oI24tQ1su{U2@4AY9}-d!c9wc|=Fz~&&{Yf1&ymu!wSp1_D{k2Y zxlg;*VQY~DhzXz$G726FfW@~b^z7&fhiG5W_YM41qE;nANZH`AV8x2jcUnd1+Es^j z`?FS6{!1|zT2@aw1eL~DsPm{HL)MV{S5|MD%7ewqw6IDdtNx{pLtw+jT*ED(LUAgz zZ#WwZTeHgd$(_1%@l)IAm7y>nmKTc6M!~zYG&b$(Mgv*4VI?`~>FEOK4-TH4+gWA% z`#C!^Xo`h8Q#1}4Jb3lP!#y~9mLdF7(Oc)ATRwTFOWz*7da3e`DJbbt0%k(zUg0Q} z?hQocON%V)#XBl$b{YbYU37-nyN#myhKyf9JlBCgEFPQwL6Qf?lFy#;GF|E%O$%0lDEn zx7)hzSo=3KpR@hW30DB3j-ibGUQ=`6&>`3(1RY5-slV(9yyzyB{c1b!i2HcCrhom2 zKDYn-oQwDwRi;Stol7pSnK66z;rhY> zv6oTE6()I8t39ql1uU`}*g}wqZVSE12}QoxQWYo_iH^@*F*3_uDK}+#?cys2T#2y!#Bm2{v;)z{hBP1dqDh0$K5}vqCYyF8W!83 znJxdTe4iqzs_WRZxdMHAtYyPGDzb`l2gHB8+rNd75Ut>6>a`dD(Q5o(PtW1{7OqBHD~JcHbFiA@knC=m%Q6r<8G_w(k}99AZQ>#glShPCx$3$P6-71En}1(9 z-}h!m(h9XkZJKHR=BrcA?~Shw({ePnW+&ZDYr3-~&h%z-!l^PD>0z^4f1D+z1OEOp z^wwRKRX3SA_0iYU(*BKKB-3(gKFfN~-7?pB*Aa*1@3!OwwSMXPkC)|p!%W*M-Q|K; zvHqsh)wMSr?0gz;E;DhK{GR6jX2PfITlA8@lo+OMse9p) zuHfLbaAm7Y?f$XM>RpoE|Hv)gIqLl6D7)98#sR5?q2}W!tFGO3`)tVh_0E=#Jz6Q+|+bR+UbECNtT<<`}LDQyRhIw=*5XezS~U-UH-YA zHrJO(bXWg$rhm}gn#ic6v`Ilh$)1L)u|j)yb2e9@E0o^o(6QrdumWdIKs-`@L)vv6 zU{#qs-t<5HfmeA(wLOpX1Lj!gsoe1n@y_1xbdzp%Sx(HRtQ(gujahPYE^<)NP;^sc z-OU{PNwTuj&j+udpXn3dsjjtg{gb7wR@R4Q zE#Bz!=9_yZq#bWKHeq1IsM46TB-F3AUI{b2_BJ74obJSTBb7@YzfS*tZAVR7QRBU?15ev%T%n#3 zBFf(m=!^(8T{GDy{`FrkCZ>G;?yOrp$=JUx@n&Y~*LyGC+}NeCP%-jRlSx)v940{( zZfYM9^abBn_x-)&V#G%PuK>A7mdWsIcm-?uMpu0ys0YL@_z zkj>GmhbRoy+%|o}UISH+w)TTCVI&^zYU=kS|vZN9zPov{Jx<~0NIk_twb ztSil~7atq{cHS~$+loi7%2)S+@nVP?TqpOPplvtt4_{diLm1 z@g+$~>r2AWlBm!zC4(~el&$v))+o`)wy*o7bhmt;&5Y~)diTD*>(kPmXBLgSo|3gC z<_#3N{g|ez(id7)=?lSS@=Y5fqRziPJJF{b#i60pILDzWYT{0S;PBz^{dT{lcb;;4XQ|@t4`-5;V(O1i`V2R5 z^Z2eXGi^RWNk(W!r^$66uWo#CF^ZQLap&`Geq2>)L=4mH3!Mz=V3wn5-Z_`-EQ>7i zN8A$p!tUJ>x#~|@L2vgI1)O@2XH{PjAJb5sHDUYv;P~Aooz z%4za6TsdFgmQVZnPMKzvo>J7;1=mk^Jij=6H@)JD%w=0Py}XonbkxOpTO1l{tAtk% zU5Me6ZK0>(g`paiPgF|kgM032sCuDQ9@~0@$LpyB=lb1FK0Q9PU5VV8x6$nP{YEL* zo4XQ!&-x#(nv<21=-!%+h*a4b6uZ4V`liWjHI27A-runJ_(E9 z-h0ZxC4qLIBa0^b@AM5bON@wVw5fO`iT`4HpD`)&;${U5`rj*NExa|0i_EJWhi5Ukq8kY3Mf@YrGtQglmQhD z!cat-fPhGoLApa582)F2QF6w6?!Eu@+?%`B&04O5M`rfk-~PV0KF{;gbH_g)Z@Z|G zhqLaNoTe#}+y7vVil3odPr5)jaiE&rhe{L3X|S;Q?A{!ICC*)h;)tlDHXhxslh!sd zRIY^X6ZW&Ik=v_l-c?Xe-V8t)mU&{lJ2~-|vUhxPo<4oVFA^f$hM6{v*rsT@RH+#l z(kZp2_ zlD9{hFWuZ6fv~QUU#M*!*>iDE1eLjga-1SqS0uv~DPDID5ver4so`Q}nb}?z-t0NX zSY_!t79W{ytyq(K(ze#DsL$z@-nypA>$wxttBBnvuxQb$ZVo52(J7RgHN_dp4^l^98Sh4-2MkM2U!GfcO`_XKuTiFr5n68;VXjj6Qm-_?z$UBx#eFX{g)dQhnDNOw z?c08p|6%|Bl3)|h*awe4?SXyPRB)WAf>UyO{cNDsUr7eo9CLDnYsVE-MosMQ&#&28 zSY#0tGa}MmkJw-*`}H=KS+yGw%E2dd0MOPoc5U~S%yWS$DZ@Xap5nLSX3SWGqTBVT zs6=fw^cv+a!WK+L3xUodVVpZ^OJg_8<=@c{zrb#EZk~iuIQ$w&v$#Z@t!H@4N7DCa z<3ZWgyN%rkl*d%>ut!_{wMS98{WsTia9^QP_RWSt|HkG?9sZLe9Oryud$zaGdE2(D z_~(uEl;hx&g*f+`r)Zf^(b=vM*Pfn(#7e#0#$JQN+=QphN_I zCD9D1xWr%T)4Zt4((dq^w5e>`J&Pc#x>V(wbd*-y;Z<{-`#3MW`0?82$Twbk z)MAI?OOriA+%|tQgW3waX{?eNRcMBSm#_Rq81-~&E)soIgFIld{dWvLUaD(&YPilk zA4iT<8Xy|s@{-+`U;g;<37YXTEa+|d$A}R{mCmZ8e`+e)z?F9SHk}OGFCHh9-_>fv zP;$b(PdvBoP6_fJndl?u6CP|&=cDG9OY=luj+6%As0^YRgnC4(=a+ywAQ6W5{jM|l z6mfo284?QaqjrTO4;=5}CGrCyr>D1EKp@MuIZx4T7-f^k8BVgz?rGG%8Vv{|T0OhH zo74#>K)(@>&7@324!=2&YhbOWmC|E>dgc+z1CaSZ|q3 zu3pk@ybh#tCUAf&!Ifv^3dQBh4jxiv8iyGUn)O{*xd&7At(~uAYg`Af@o2mr# z^4zl$MrL4(vlGG!h0=fxBCJ-S@!Ji9_mXTI*sEaM8X^^Jzo1&Fjkc!Fo3dn#dMh!X zy|If{2+w7gYLJG6g0-r}QhFDpo@)K$?p?WVOPi{Ebkl$hVV*+27`%8!yG65Z?*@Ck zYlC=n3Z`&=t0T6A&-?UK%qJI;vwNWgm-D(VE%BIqco|RvJ&1c6GQDFO2B}Rr&8*TH(%urBcUe2fMiK4ts7=+1@=42t>dGl^WN5_X(AEW$E zPBXiC>z2Ocw~H2CxN_wrolN;1d$`Gc=m6^lY~BQnLWEmy7FvaYItNg=SOU$%yjolD zahO_cbc1f+GdSRZCZ1!;k8V5NZVLCwb{ny=^d3QQf|?zZ6kE9QxB9q_B1 z2RN76oq-JTMVNBrf7Trh=MPg>25f7h#w~ll{nY@Vk1C%oP<;BZOAO|aWeSj98g}^m2sO1(@(_T zF<$Z7#CxfKgeY;eza@Wavad(7S{bEnn8KY1pHP_xh?6***y{^F`|LAd`A=4#N_gN+ zO*D^i{UiGnk?d4mL!2S!CGTCYqsWO^$OjV>NxpGW@79f55yAy3I$G$bw=u%4`wvjXm#!; zU4tfDN2sk%XjKjo^i|)2qfl1Vv_7Q7$LdYG`_gB4Zo^DvaCUv*jd5C=a394$=-JqL z?XNVO*d5Vjp~h28l{&jOue_T%J6QKe6l4^icd3iQX2>hXH*Dq9d$+f1JRyAdvt$00 z=RO4ikmrZxCmfbAZDIi1B}#~h3K&7+TA>}~kyFDBwy+dNlWY#VFP_$y-7V3bAy|A- zW9OKeu5IqX_kds2e=Q*3iuja{_gP5;rjRU{(8thU-Znx@28KNTbI)Rh!SD zR34BeissdE+I-%v#6xS~U|ygreE!*Icky`>#3cX-0ZV3-;}jc=BDQW{H`ZS_dFirc z(N0=yoXWzu$1x>@#X<62&)=^EYxm&n!WG9KHBTW5Kd7RYW_AF8;Whp{Qjtm{W!goW zz$3elcSTp%-F8aLTWAha2Gfz;r{1m$VtGmpAEH2JJDhv06Ojc}bvHRRSTi3Z7E5tD z$d5o}qC!QONEMhp@!OJ(%j&BJT3<;U*5zM{cSG$0g#CK|rrj{LT{?+kJE$J-y4t4scjR9bEQi zjPtcYgBG-zs^a4ttBz3wS-a-j(1xdCf?vgWtw$d{pYDBQZQy}YIOTecB4wP}bKn%o z*}@MM_crEKSKv%n)hv*>dliRl=!&LWoL9^di+HLfKq9Ew)EqVSA5LW;fUD=HU7#|; zkHu(RGah)bK=N=X!I4>_koWsz9j;*Q^K9$E|4_XbwR$X8UTwGT3TV7wH4dV|D z!a&(ldlfKfveIbEoC|4YL zjvxby^%85e$fW@QL6Aqj;lAivTvYc+eNUuNbE@LnV;88!Z4a25-6nk*R?j(sQhWV` zJo<1AT-{fqG(dGl)9Yt%4ic`Yfkh4vuE^XeyJl_47q0=xxQ^2liCm=4rY3=msF3gv zh^?CyMmk3~O;=BNBHp3lPfMuZLc!^h>y&I^))_P1nCSfydRqsRbaTX4WO{6v-cW_^ zRgKAc!;eN%TQbdx{Fn53(2sR{MRJn;2g`Jo97}Sk zwo~8GlRZb9Zz-5~_6(_)1|-wMT*~7~2Exxd`8$ghOq{4XwWf#2@qsl_aCkdMUwBF8 zjlPWUsq#W@s-vwcOIq zXG!g?4;2ZQp}(o`rEtb4GUwYKY{GTC^Qbf&VZjx7Dllt#O*!(*%kE$bxfsNA4 z&QFw1jLOaV`A`kbR6KV4eu~bX)Z%KbbsgeD!?bdWfkni4{~wvo28>@Mt^0CMRxdD6 zu>E#&WSP87wc?~^^nnKX4iY0~LGR^7-7T6L z?TeN{YnzAKPf6T=Di*t(+L}hc{oCD%`x}btbky(hNvVl_JbYEv8MC6I{|S87hoAqM zs+8Kq+@Aw_IfJ7?k~hc!20P!JjqWi%o7lMH+U>I9&z_wzJE#2dkW3+$pNeU&z2qIX z&-b4|`Tm0M;06S`{m_x;!6qX0LD`|!ufMuv*SV}PYo2L_tXfAPf7Y<7LGZO;r5zdL zbAa^6BRupoJNF+u)9(No_vVS#ik-`89cnfFc`Ku8+qyFG74EEjYXc!+YSG+djNsDG zzRZ|2XE-HxI{H|SE*T2&_z$iliM(}axZJF1xXyOUNvu$BVaaGBdF!fZ$0yoTsis*k zD~_5s@5sCD`Kj}!-N`e3?%C0cXr$^JCE0D_^Ud7

M_#SFeOQmMz_Hp}lBA770 z_aM#Ra>I^>MOUsyY}qbjdiYdBk$9A^e&N?rex>n3ktufe-;Gy2ekM@Hv+3~$_!FWV zfA8KdOKE^(R;{{UVSMydmLYOW^-f!poG7PX&!5+Ji&NdZ_l)#mfLaP3JU}8;ZP-&; zA*QMF>$!89-iO@c3L(s6!OMDcWt(}Nw)Ek6<~hWB%%841-8Md~IRsu}dYb%QAM=Gv zS#lB*WyN0!3MQ;$Zm=*lbRw#qT>UaJ;eXuA_PB}_YcT6-Wcv0%?Lrdi)N+B+KJ(tO5L@|`Rzdl zC`Kn7AP!y2*%b-;s-PK$#F$U^*wVDvYuBxVs)IgnN{GlZBgYHraU3J$yhz{&8dlZ! zIWGnyG9)A$C=;S=Pju2oN1ELFe3ouXAc=t}PJNwH7zEZpzLv?8 z24G-P?rp$3yI1q5NLpxsu4?~@@N%X;Z3qjm{!4ph*T)~=l{N25nu zl~3#}N5?lv0YM)8ZqJ@-o$g!fNJNefSPkn4-YzgYH3v~}DMgDcE&@d9^=oLf^iDJb z-CKTHhJs;vgkl4gUWzk7N3T>2=5f`_QF5MmK(XabKL%2WRrt_3| zEhm}$)T1&bh|y$?xA;f9y*2pt_kW&`Hjgv#SP&gRgJ35xa=gOso40PoKqkk6vkOTk z+EIX5?LgNB#W&^v;&@b060%awN<$iKa(a?-diAsHiJ8>W*!#$r4M-PBMA=_=AX{;P=uh0{$1v?UQ(D2#;mU<^gS6w{&+JvT<`m;LsqBsr%cN{( z9I|{#G;+XGQGgM z;@!&XQFy);wz*qmWoz{zSCEB{qXI3w6r7CY6V9mafxiYOynd)eR$IW&!^w|QAl;at zm-3w=ifoXnIK&p6CVUcRIM|pPTTdnxw%e0S7pHgrvdq{8CByheXqQxLRV_i6JNB#v zEqw@F5!B&=uUv`kfH4Im&?0GA7cj4?%>eDyrJB|nI+U6Q8{Ha4J>!sOwOiLSYk>4f z&in7H&VZTz65iB`3DDXzPU+fcO*!q5t6|=`w3zi<*S5-pqn(M0$;K16SgXzX;>m|} zbk=omo`EvW?qbSinH62$lp$1WKUU*sraE$(bFtO%R*8g;1}<7-?U`UYIzO45Jm>N` z?t_cCL143EsrMcU&ZtXJQ4vapxBj?62^F>!pf<(V#PgVOm$^iTtmQbI0s|qEV+DJz zE=|g=RAtb%&`UkutHyn8X~3)PMj3H5{}lOA!w`|pA8>70$+pqlmTKpP*6t@xRPLGi za6yPrh@h-)kCOE26ow9~Z;Ot1ZBnN3oXy;zExe0!TMJq)3ki-zGrlz6#V#we89FAh zdr{56Co=*Ke<^EUvDJL2Npqcf_!6X+fOUqaUa7-2bT{343VJ& zV0hw0%tYNZz)*rh-}^y)VP&)iq?>?=nMNZ1a^?)q@PjT#ZX_ZohvJBbH*9EGaO$+u zQeoj{u!aHh<+`{t*fxkcQMw!~oPl8?6h$)>T$@1Oe?%?Hf`11IH4N(rW{A+f+l(^X6W8xg@BY5WGPMj97^i#&?yjLv-Jjdq9BQSUU}KeWx|U^Xf`uqzTL#G&-qN zD!R~^?}QPsa)N`klo$K2?;HazWc~W}AaHHiaB|?~BSbyWEeVPz^nLn`-(6Qw3;1Ou z1;EO~ufiG=97xED@Q1k~K8I{2L_>UheL+)!u|E5y!0K8et9wyBQy;{Sqe}?wcA?XRMrUIWbUmu$tcYLdnE^vh|5yoV?T@h5 zI%zi``dk&GnM!;CkJUT6D9>*-s8*sS7O(Ro!FAhHN4y&zr+2TP=lc~(p1D%{2<$Hb zcqa5#d2Y`b3*yJk!O6+CP^FRDCl4iyml@N-P}EP}-TdZS;Ee%zzM=k96?3k^aX(HF zLV0e#)1l$nd>Fh2-2Y9rK?QWP0N765MEuILnGB5haXG;!1B7j951JSH4dUd~8@Y{e ziUboWhk#(8R{XD145#Z7#+T}#L;=m4s0K`9KkH=C*;4=esy)YRjgQaQIo`PBKg4AD z`|m;0|EmVT6)AVCs-rnU{7@OoghK!kZEb>X4AjMcx# zB_=BQ@2Y-0azO<5zcc_e zLE^_J`1pdjKY`d4xz=yQ$M1Q*^HBHZez`)X#3Bgfjbcm}<>7e?E+>B6aSs@SL^Dh}M_s7s2KRK=1_R3@Sg`f}u()HfGkGVeq`adoNOzQ_Ow0!f7Lp$9x zgVUb5HL`iQsk9oh+2hlqNWXjT>vpMD#WL`sGims`gIf{dY;eU&x4SDJc~_PUVoR`oNb-Nxj{GjQ1PRTrb-( zwxI`@=^zSmiP<5;mn;_R?OWM8bKm%d7Xr|7d~P#>Hoqx}_{8k(w+CWL_%c=13*29Z zLL?p&R7CDOJFKgV$3%(l18WAV-UseFCN2)LvtSLS6689bS$iqs8sJbpPDsxg+%Le# z=ZnmS@Cz4KbrYXDqBQHNW|n03_TL6k3EWmm$$swDKd7VA;gpk>ntGgj4WMT?^LFXK z{aNzoaXAa|30yinT%7yTh$r73KGXMyZ`;>PmqH6CEKHF5>bLD$zRPS-bnZ3e{vH5|{=l-VOBO{@>4K*+BXDk5y^zDMpzGakSam!F%`oPlT z5}3md#VGCzZMJRNfwhT@l;mC;s8?Yk$bv7vczYA(2h-Mmck#c}5GFJthMP)|c&vM# zws-MR-R*y-88IEuMTGtB#1#I~B?}qo=+vCdH$V3;Q*wy?d$nZ$Dr-@Bj8RhJnA3>( zKGjp6&?flTNL++G5!>$i@p`=B$*0n4gz+Z+qpeg_Y@A^HqHnu5(s|n?5c(NXA2fM`Z>(|e~zW(}UyLP<|G-tbcj8g^V5V$*TpXr4$sX2|HadTf`rcLvgXxR&m z!<>FN?_M+iGrQy|o}X{JQ>zEn552CQp{Y8}wf zFv)g2iFPg~#G_&d=8w|bZvYm5y|}nFn%n$@ifC{vt~#q3X}2E*9+dBr(04?4_}5=C zpM8+m=|#z{q+dWhLRk_e9!Oe4d;lMG+43&V^CJ{xvC~0GL9={t8HGn59dyKzz&@kK z)D}X7;JJM7Oo?JQ))F-}R25NAoLEKLrOO0v_%TFdt68gcrL4YADOnI? zYu9+iL%p7~h;lQgTRBN^`u1nySp4|J3ps}vlyDLf_H$hLUOXeD;C+3wtf$4|7Qesx za_DlR5{c5-bd484J@Duk3hmIFp@;j<`bIo$f??Ly)vLeb*y9_k0#hxj;~*;bwj8|Z z-4akYL&gWtZb_o3I`gacfEQ|nNU3svD~R<*;Is^yJMhpt000e>r^Fc&dYPw}z0+vD z%6oC$foxFd+HE^{IA2cRz00Qe*MsT&lQf?AeyLF1`;*U}`L0lSm3J0%-RIBf`Lqz8 zQ~fPR{lDXjkNlAKu*I%;%{{B>czl+a!mIlyZG+^DlAgS}GEnDw|AHo;=;Y$dely*g zz}=+*pB<=C{OP}dTRPkUHbZs1E~B}`&B$)=aeL2GJqJb%bA}3iHrecdd`0-H#Ty%V z)`Sn5otvn6;T--?J?2LaTNjAkf%>=jR@J?`4}Totu-LHZc=F=qi@&{c*>F75vc_|; z`h29YHY0n|J9+d7&6rW#Ke|`<;O*DE%R8!M)DldVkv?j~^mnVOwZEPuBn5naxGYVp z%j#5OXH;+K%1vOu?)OoNU?f@dosTFAZoRilO6}uSTmNohePEhws0g3;HmP+^H4_g^ z`FGNL)7CV~i!=shhxYk0LRJVa+Mw}i$*wd)*zF?;*L{@wqTAsPW1_+L)3u{10(A>B zm2NvRY8&^hE!3BAbG98btyL-A_xWdhn%=+f`6RkJ);ehYpn+F2<)5k+y4jm~y|bhx zTTVW`u|P8SAjiyx-+b4u{T9^w#nr*Nd2|EkHkY8GsiEQLXH74hE8^od@$;(eyCgdu zDermjCFUB0im2=EdRB7x(#t_#lZFhNsTP~S3#}$L&zxVqR*As!E?c~`)$Xa}{jQlH zwP}_WepV$0WtQD7i_#V>lWrb*EFJ0DoVdZ>o}n#FBd7HyjlO=~oF`b=vc<%&6|-mP z)n_%6Z$9=>t?ImgYv?Oz#DKm4Eu!wX)f!vn=@1dlWEcPI6G8LNocY7-cyK}~AwJ3& zkJZA21hDHV0j7;JCDXqcZ!G%VIbIK17Z2*|7!MEkQrLWyO}~W2wU2x7O1kuh-$@m@ zRMVktOQ`m`PGwEEPKEK?QK03N(R<%*s$HD{{_HZtGc6SqLUYgXF1^L8|1}b z3oQx{&>0zV%L!DX9?i1p)L2kHWzd#T_sObj0UcE+G4ml{mJd(u?Gs+UJZ9a#UAsoy zZempU@4tVQz5zoZf$=CnLJ12>o^qoit6;HJn2O{LezDdn8LPj7zNKnGMB@8meL`0MyK^*CoPCoEsEyU^r zt{3+up-BOhT8jL7+J1T+SnXlJ6>luZYm$ZZcNu9Br34C0sMG}(*6;4IqW?ZFOR#oM zu}&S*L@I!dFYmJfav127p_GiqbB!zbl&)w~XUZ;LzWj1n*z;%4V)$%GCL)>+>9kI> zbK?WCS~om@W{UoJKz;l4`R||M+u*S9ym=uhqxPc@LsyaQlo?lel8nO}!|6S+YJ(^( znU4XgI9^dGK_&s-uMwSDP<~Lw!-yz#^)iANhPUYn+!(sWy6oq61q;#jXA%Nln{<;7 zhl198)S6)WC5DDfVCAf}ldnhI1$GX|yAuH95n2o&@5>j9%-|;rAajtoCLb6h4MkQJ z1gP+?5C?>)coa0DU>`9=q68H+CV@+__y6NB+i!$$5YAB(4dsK12KU9Rkp8>-N(#nEv z%1EXGRumyRp-yoG!8|Z!iK($(@y^kH`9D7TB0bh2?P0rp?6UfF%i0X<1_ayYaxla@jbn0Tdjz#xxqG1byNEZnQZdR5w9@8K=cJZV|SP?)37Val>mGbOf1LxwdV z4A4o$d&MgDf%go$F$J*O*lJ9W0cK5jhszUr3KSBRIHRpVViICDD^`U5{`-^X&#gQT zln6_y0UH_V^73=mLxNOD(o#&heY-yjs|~hT`Swo1?(bJ(d?leR0)!Pr{;K!@h`?KH z(@>hMN+d595E$!RgSGgW6)C~<& zhjnR+eMv}PFva6ZNV}7>IznIsSlIv%)2Y#z6?3>xnM|jq7iXQUT-SYmVt3lw)vI5E z}kJ}Y!NwiMihvpe& zE}NDASk7W4WNsN>~@@x)zC?a zN>hUJi8)E$@dR>Kl5@wws-yYP_5dPQ5~@A)VhHIBKqSQRYq3i>$^-@6AngW_qCHLp z3uW~vK451>dX9I2kaZ^`;&)U&SjqB!R0?LjJ$EQ4$=R($Ut{5tB})j-7~rdw_0efC zLSN3%IPezWmW$G8jS_b99G^955ws;F8=ZnM;;Z6%U(Hwj|-7T|T9)MPY z*bCYlz&99QlfmlQ9E3g>#w;V(_k<3|n>P|B&8?2|CN3@Wm)^^E^QKl{BOcB;3Dl=< z=d`qn8nimFn9%w=o2g}c6yneu4La8rZa`BEMR!1FFtH#e<`n?yli0aHo>bogY*Y}E zjxgDo!>{)*^auK-ky2Y!cQO;sJkSBI-ohKVVJJ}xVBp>^jkuv8+ex><=+8#lm8BOMn4|yd7ej3J<~o5M8Py7 zEMSii29Q8JW2_46A?_41^~TUN!A4CQTB!E5cfkPoykIqJ0E!G1e<+g^Iwr?Mo!C8@ z&Ne|M;R++@!EP)elnGoFSi6+9f5KENDC)O<{q46@+(P^j;=8E+3Qn&FiH3N3;l+eiE&B)DEVCG$}P(}%#Fp%=*RRy6dgiY1tYTjv91ficq z9p}C#Iz1k44R1ockk+u6^%UAj;0#9+JRczTZzUz!V5bm{3Sv>HDyP%T3FvM88-Low zo-#F22mBs;eOYyP^|>QU^9Y zWWhCJ_B$-*vR`vSeX~$)@K{Uh9*KA6II?2d_F*fAg|jTm?`sQtkR~6ha2mf5A^9qn z27p(|!3JpDx0KJj0Kpc20zf0k_T6!T8P$iFby%161WX^bIYd1Qva2AiLFm6g2x70Y zGV~7ho6lBekrppsJ_^MKXDPL+xO$WMWhEtFb}?@T8z0JnzVZ|5%g95LbW_GRlo){G zEw49~<#Slcer82L;5woHg~R4(`P2GocVETVC`0a4fe^*so_^S}*vua> z<={?YNmbhsEC?%sAu43B6(F$K*pof=>CMoPg2GPFrAuoYUcaS={xw%f3HptcFVV!Q z3~9_a%$(}aZkAT|qmf7IE?5o=$&a-5*&Ej{?SClR*swNynOlemqyeVjV`PD#M*aSt z6Ci{5Ux;{U8MHRQNX2H2*N$g|5ONg|SlI#pm0~o1-aM4eX*m4AkUL?bETse^l~`iZ z?oh%p>>&bHLNgbt0L=C(K4vqz$?iCD5d8oNVd?&!TYRGiPt*yeEuxxekg2YSFj+^l zx;w6rd7HVky1}ZMVM1R682S;9Ev49#Hgpx~qO!84G;NQ&fUM<83t!N!)64ZL&j0P$r!wQ=ow6IE8h`y-KjS=OrNVZ z^;05oTAy>Y5VlA(xV;*m6m=L1=pIJ&+8X`Hws(QcL{zV0K(pkq6am8^1OVXFPJ(I= zpdyN*h{lG&;>gFnq_eL3N>CAV1!HCuI3$o4h47FI4j#fBi;LA_gt*ooqu8u^Dy$y1 zLMF1I*Fb?+Ie@h7o<0swsrL&8K1_@eVlA-ix(RyMoDlYofxU3YvQ`3hpRc~^f4D?L zaEHr5`W+lqa04JJGX#OHf`S4u%U}MhqzDz+xIzyCJ4nVg_vp@XDE`n zfvFfL`wW9mhBe)sq|`1!RcH)S96Hh8S!=sOcDZ^>qQSWYyxH(f2(iWAy7j#^CQG;= zas*WWh++k#Wg4@!n`jCw`;;EjU=VQN&R@Vk>U8QTjzB++hK1NlYg zfKy*nVnjU01KwZ3LJ%4-RyH;q2z3y$X2ypVPnCv91MUt%DLatNAbbROI{@AX@28&@ zFOf$ALj;~g9O~;EEN*biuRn5XLUiTIm21}Qp$F}|>2xp$BG4x>@d9BnGe!O?)u&#I z?u!87&8<+IY-ptsX|CTbHRN4iT%8jy8$TFx4=sd@JVh1jLw(AmI(dGJi}L)~j5SLL zp*)!SVdp6&i|b|n_42R=Akmb{UuE?nKCaLD_IjC@`~yTA$HRG-YS5D*c$BV6m!`z{ zEjzTOs$4yMeYcso(+qubcCmpPP5x2*qyoRT6?J_+`#hTl3f z6*!aLCbUZHF-B>C5LeXS-Eac|3I?6rP*0{d{<2^h z-e=LBTJHRXUMH3kR29x^xpTb32UXMt+FgUthx$o%Zm(=}Jd0=pmA#1(FN7M6u}3_|Cp;~Av42&~x&=hcx=k$mwS|F)jdo2G1j%N)<`Wh^$oNglg) zuy*A8os&7mk55T7Rg1w`W8{@DRBrwJ{LY;N1iB7-n}p?PJufTNeRlQjw``4BReU>Y zh)Am7hUbHgt~s9MoWB0-azDeo?%)jnyaRGw>gUp3bklBRWsSjI)8Ooh91BKj3Q{g? zRAYn)r9sK$-ESMSvtP5iWm;RNh(m2lu|^)R!R0ycCx#EyO`$+QHN(U zc%k>xf_M~PO`55WM?}@R`RTk?pca{{)Ov6X5^qG2uLo5bsk~I;YiB*r%eYM6(K1L+joG`VqR)NF=mUwVX!U-^sS`o>%(&di zZs>zls%Aou_XE$18l`H3gA^Y5XS#}{+#j{gjs~1N zSgtw+{zth(=ez4j91T*A$zX7(2!=x;`O{H9Q`xm6OY}h+x5c{(Ck+U$1cWOGG4 zt#;-18v7k^vRBf3f`6@5no2Zz+8W$C(QXEIb@9`iYNqXb!PNl2s`!iCW!$NnMW{$u zj|ojHrSBDsHq4T33~IFv(qkl8=g*_xZXnh~BjTl*sbxz+* zsdV;>4U02Vt)Jc*K|PAp3Qm;lM3UTKG~*mJkpfbO?4I-T&WUVpe>KrACnKd6rXI~` zKQvWL6%CiASOz(I`V_Rt)hv2}H;;$6*(BbaYV3!W7GbmfIZ|@&&?#MU2eN8#fT(mz4$}9FvAM$PkJr zC9H`ltl{f7K-GQP;l?oGdfXVCP5%9T$yv zNW+jlW`LSR7Fdb|r5K@qCxp4~6tCvef8L{WC%fUnb}JyDXBR#tZ$^9AqiMz6f!NKNM_rJZW27pp78 zPRWOZ7}q79`8?pt6{zE4W(uW{s?oKokGMg=@o^#`7cIib%~$!A5<7HST|WmOVx3%5h6>cDrpr zZaWi1)J+l#2A)72Jl{f?Z!3@MH(Lw}>_pB4f z>=1gKr~^Wd38F)ZN8R0X<@K>3`}glh`(65s$_&6|wguz-n6~%SUBh$pMXdev?mBhL z%Dz^pO5AE6#!!`2JLEhe&u*0b(Z*x*N=219lhRmr5a&7FCR2x|^c@~C{jd$tZSDj0 z^^4Cw`+Z?gRSnYi31k+8xGE+aCtj;B>~SIl&{2N!z^#D#B<jw5@);t~%gBC)a$J+J++r>iERmWAM@);sqIH`b6A3j`#;hG9G+5yZCtOw~` zC&@4iy7zwLzdjn534=Bq60!~qzZT@Hd(jse7M6>KIoQ0nA>aFbzaIA{-C!AXXTg`g z>*>Qa45iW6^+rmRZoi2E`yWdK8dVPM9NRgT-gu26;W#hsW%A`NG&JVTdrqk}LXL`I zTo{k3Ih6!h5IP3x(P?+@jv_)XdHndZg$uPqLAI@WGMy2l^K1L;HjqVRMV*A`ctt|7 z2_kE|4yaH?Iduo)X;z;bYf+x6tTb%7zPlAZTq z*x)oBo*&sb2KxY3EqV9F&xFzxt?zEDAM%sf1JK@wc2!%#Ap(6A8bRPc zWPrCshyxM4V1Sh&vS)3LnHtvCbOdzZH_JCO=Dk%$n(e!8N0A3tcppIeg`wBfg`&k^GOzE0cfp!aW#)C!hMVFESz`Nhg^;T<`#us_UHz2|pMCBC@g zyeIBkQ_|+;TyFEocWDosTkMp-XB_(gAmb-!_}_Ejevp43NP@=dqL2i)IsfS~a_`ZI zF(t76I5t7~SLTjxi_ZPustaYcQIvq=gw>m!V|8Em`lyrP{$}j0*sz(M@iEZ@e=kh1 z)^>EEG3etXBEhA%+$3NBVLku$z;FIbr-fL0dqlxL{~_$s)jt7XJP!Lqq`CkU4J-Ip02we$NKwghH*!~_yo&3Olq z=_Q|w$wqf3N=i{x9Cv~b#!V6f~YD!)bmU z@fH0YsndKm{CHY6c$(}?{NK4*V$;NG{P?2O^sQJJ509F~BU{s9BU?A;d?$TKse!$j7DEpoLIpXtwh6}ubk6~`xA<_Lw Zg~+dM7KaOdBFwz1vijbn?~eTZ{{S>&MT-Cc From 12f4de681fad54c082c98ae97d3908dd43d51af1 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 19 Jun 2024 20:52:41 +0000 Subject: [PATCH 41/50] Generate Parameter Markdowns [oZakari/56e2292c] --- .../logging/generateddocs/logging.bicep.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 3bdddcea4..3806e2884 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -6,21 +6,21 @@ ALZ Bicep Module used to set up Logging Parameter name | Required | Description -------------- | -------- | ----------- -parGlobalResourceLock | No | Global Resource Lock Configuration used for all resources deployed in this module. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parGlobalResourceLock | No | Global Resource Lock Configuration used for all resources deployed in this module. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceName | No | Log Analytics Workspace name. parLogAnalyticsWorkspaceLocation | No | Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. parDataCollectionRuleVMInsightsName | No | VM Insights Data Collection Rule name for AMA integration. -parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleVMInsightsLock | No | Resource Lock Configuration for VM Insights Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parDataCollectionRuleChangeTrackingName | No | Change Tracking Data Collection Rule name for AMA integration. -parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration for Change Tracking Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleChangeTrackingLock | No | Resource Lock Configuration for Change Tracking Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parDataCollectionRuleMDFCSQLName | No | MDFC for SQL Data Collection Rule name for AMA integration. -parDataCollectionRuleMDFCSQLLock | No | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parDataCollectionRuleMDFCSQLLock | No | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSkuName | No | Log Analytics Workspace sku name. parLogAnalyticsWorkspaceCapacityReservationLevel | No | Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation. parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. -parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. -parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parLogAnalyticsWorkspaceSolutionsLock | No | Resource Lock Configuration for Log Analytics Workspace Solutions. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parUserAssignedManagedIdentityName | No | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. parUserAssignedManagedIdentityLocation | No | User Assigned Managed Identity location. parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. @@ -28,7 +28,7 @@ parAutomationAccountName | No | Automation account name. parAutomationAccountLocation | No | Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. parAutomationAccountUseManagedIdentity | No | Automation Account - use managed identity. parAutomationAccountPublicNetworkAccess | No | Automation Account - Public network access. -parAutomationAccountLock | No | Resource Lock Configuration for Automation Account. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parAutomationAccountLock | No | Resource Lock Configuration for Automation Account. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parTags | No | Tags you would like to be applied to all resources in this module. parAutomationAccountTags | No | Tags you would like to be applied to Automation Account. parLogAnalyticsWorkspaceTags | No | Tags you would like to be applied to Log Analytics Workspace. @@ -311,7 +311,7 @@ Set Parameter to true to Opt-out of deployment telemetry Name | Type | Description ---- | ---- | ----------- -outDataCollectionRuleVMInsightsName | string| +outDataCollectionRuleVMInsightsName | string | outDataCollectionRuleVMInsightsId | string | outDataCollectionRuleChangeTrackingName | string | outDataCollectionRuleChangeTrackingId | string | From f2faabe4460a8b7246fc7fcde5eb1dd330af6a88 Mon Sep 17 00:00:00 2001 From: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Date: Wed, 19 Jun 2024 16:11:28 -0500 Subject: [PATCH 42/50] Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- .../assignments/alzDefaults/alzDefaultPolicyAssignments.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 906f62ba4..8c26656c0 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -1768,7 +1768,7 @@ module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/poli // Module - Policy Assignment - Deploy-MDFC-DefSQL-AMA module modPolicyAssignmentLzsmDeployMdfcDefSqlAma '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMdfcDefSqlAma.libDefinition.name)) { - scope: managementGroup(varManagementGroupIds.platform) + scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployMdfcDefSqlAma params: { parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMdfcDefSqlAma.definitionId From 8bbba6673fad36c991644a4fae08ae394430b098 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 19 Jun 2024 23:36:01 -0500 Subject: [PATCH 43/50] Match policy assignment api version to match the version referenced in module for consistency --- .../policy_assignment_es_audit_appgw_waf.tmpl.json | 4 ++-- .../policy_assignment_es_audit_pednszones.tmpl.json | 4 ++-- ...gnment_es_audit_res_location_match_rg_location.tmpl.json | 2 +- .../policy_assignment_es_audit_trustedlaunch.tmpl.json | 2 +- .../policy_assignment_es_audit_unusedresources.tmpl.json | 4 ++-- .../policy_assignment_es_audit_zoneresiliency.tmpl.json | 2 +- .../policy_assignment_es_deny_appgw_without_waf.tmpl.json | 4 ++-- .../policy_assignment_es_deny_classic-resources.tmpl.json | 4 ++-- ...policy_assignment_es_deny_databricks_public_ip.tmpl.json | 2 +- .../policy_assignment_es_deny_databricks_sku.tmpl.json | 2 +- .../policy_assignment_es_deny_databricks_vnet.tmpl.json | 2 +- .../policy_assignment_es_deny_http_ingress_aks.tmpl.json | 4 ++-- .../policy_assignment_es_deny_hybridnetworking.tmpl.json | 4 ++-- .../policy_assignment_es_deny_ip_forwarding.tmpl.json | 4 ++-- .../policy_assignment_es_deny_mgmtports_internet.tmpl.json | 4 ++-- .../policy_assignment_es_deny_priv_containers_aks.tmpl.json | 4 ++-- .../policy_assignment_es_deny_priv_escalation_aks.tmpl.json | 4 ++-- .../policy_assignment_es_deny_public_endpoints.tmpl.json | 4 ++-- .../policy_assignment_es_deny_public_ip.tmpl.json | 2 +- .../policy_assignment_es_deny_public_ip_on_nic.tmpl.json | 2 +- .../policy_assignment_es_deny_rdp_from_internet.tmpl.json | 4 ++-- .../policy_assignment_es_deny_resource_locations.tmpl.json | 4 ++-- .../policy_assignment_es_deny_resource_types.tmpl.json | 4 ++-- .../policy_assignment_es_deny_rsg_locations.tmpl.json | 4 ++-- .../policy_assignment_es_deny_storage_http.tmpl.json | 4 ++-- .../policy_assignment_es_deny_subnet_without_nsg.tmpl.json | 4 ++-- .../policy_assignment_es_deny_subnet_without_udr.tmpl.json | 4 ++-- .../policy_assignment_es_deny_unmanageddisk.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_aks_policy.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_asc_monitoring.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_azactivity_log.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_azsql_db_auditing.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_log_analytics.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_md_endpoints_ama.tmpl.json | 2 +- .../policy_assignment_es_deploy_mdeendpoints.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_mdfc_config.tmpl.json | 2 +- .../policy_assignment_es_deploy_mdfc_ossdb.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json | 2 +- .../policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_private_dns_zones.tmpl.json | 2 +- .../policy_assignment_es_deploy_resource_diag.tmpl.json | 2 +- .../policy_assignment_es_deploy_sql_db_auditing.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_sql_security.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_sql_tde.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_sql_threat.tmpl.json | 4 ++-- ...policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json | 2 +- .../policy_assignment_es_deploy_vm_arc_monitor.tmpl.json | 2 +- .../policy_assignment_es_deploy_vm_backup.tmpl.json | 4 ++-- .../policy_assignment_es_deploy_vm_changetrack.tmpl.json | 2 +- .../policy_assignment_es_deploy_vm_monitor.tmpl.json | 2 +- .../policy_assignment_es_deploy_vmss_changetrack.tmpl.json | 2 +- .../policy_assignment_es_deploy_vmss_monitor.tmpl.json | 2 +- .../policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json | 4 ++-- .../policy_assignment_es_enable_ddos_vnet.tmpl.json | 2 +- .../policy_assignment_es_enforce_acsb.tmpl.json | 4 ++-- .../policy_assignment_es_enforce_alz_decomm.tmpl.json | 4 ++-- .../policy_assignment_es_enforce_alz_sandbox.tmpl.json | 6 +++--- .../policy_assignment_es_enforce_aum_checkupdates.tmpl.json | 2 +- .../policy_assignment_es_enforce_backup.json | 2 +- .../policy_assignment_es_enforce_gr_keyvault.tmpl.json | 4 ++-- ...ssignment_es_enforce_sovereignty_baseline_conf.tmpl.json | 2 +- ...ignment_es_enforce_sovereignty_baseline_global.tmpl.json | 2 +- .../policy_assignment_es_enforce_tls_ssl.tmpl.json | 2 +- 64 files changed, 104 insertions(+), 104 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json index 18e58bcaf..e86da45c8 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json @@ -1,7 +1,7 @@ { "name": "Audit-AppGW-WAF", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Assign the WAF should be enabled for Application Gateway audit policy.", "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json index cbb601958..ebd1a9053 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json @@ -1,7 +1,7 @@ { "name": "Audit-PeDnsZones", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone.", "displayName": "Audit Private Link Private DNS Zone resources", @@ -87,4 +87,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_res_location_match_rg_location.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_res_location_match_rg_location.tmpl.json index 422e544ef..0db5b7a6f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_res_location_match_rg_location.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_res_location_match_rg_location.tmpl.json @@ -1,7 +1,7 @@ { "name": "Audit-Location-Match", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Audit resource location matches resource group location", "displayName": "Audit that the resource location matches its resource group location", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json index 33ba0f2d6..e4baa6c5c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json @@ -1,7 +1,7 @@ { "name": "Audit-TrustedLaunch", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", "displayName": "Audit virtual machines for Trusted Launch support", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json index a7403f5cc..7279c745e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json @@ -1,7 +1,7 @@ { "name": "Audit-UnusedResources", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This Policy initiative is a group of Policy definitions that help optimize cost by detecting unused but chargeable resources. Leverage this Policy initiative as a cost control to reveal orphaned resources that are driving cost.", "displayName": "Unused resources driving cost should be avoided", @@ -25,4 +25,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json index 4bb302c61..75a93c8c9 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json @@ -1,7 +1,7 @@ { "name": "Audit-ZoneResiliency", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Resources should be Zone Resilient.", "displayName": "Resources should be Zone Resilient", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json index 9f1b873b7..75fc32187 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-AppGW-Without-WAF", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Deny creation of App Gateway without WAF.", "displayName": "Deny-AppGW-Without-WAF", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json index 34d0de81b..384fa2ab4 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Classic-Resources", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Denies deployment of classic resource types under the assigned scope.", "displayName": "Deny the deployment of classic resources", @@ -80,4 +80,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json index 220c4ef3c..5293a3879 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-DataB-Pip", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", "displayName": "Prevent usage of Databricks with public IP", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json index 51efaeb27..1b4ad0232 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-DataB-Sku", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.", "displayName": "Enforces the use of Premium Databricks workspaces", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json index 0b531c958..6be1fe5bf 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-DataB-Vnet", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enforces the use of vnet injection for Databricks workspaces.", "displayName": "Enforces the use of vnet injection for Databricks", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json index bc0fa7bce..85e3d44a3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json @@ -1,7 +1,7 @@ { "name": "Enforce-AKS-HTTPS", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes clusters should be accessible only over HTTPS", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json index da636ae71..c572d0c9f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-HybridNetworking", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.", "displayName": "Deny the deployment of vWAN/ER/VPN gateway resources", @@ -31,4 +31,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json index 4cae9a5ba..12d17c23f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-IP-Forwarding", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", "displayName": "Network interfaces should disable IP forwarding", @@ -15,4 +15,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json index 148623cd6..384148a38 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-MgmtPorts-Internet", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy denies any network security rule that allows management port access from the Internet", "displayName": "Management port access from the Internet should be blocked", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json index 439b716c0..08d13ce2d 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Priv-Containers-AKS", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes cluster should not allow privileged containers", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json index 5aeff9c94..cfb11ecf6 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Priv-Escalation-AKS", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes clusters should not allow container privilege escalation", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json index 5fc9b2e34..bca7284c9 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Public-Endpoints", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", "displayName": "Public network access should be disabled for PaaS services", @@ -15,4 +15,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json index af5e2e66c..07a0b68e9 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Public-IP", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy denies creation of Public IPs under the assigned scope.", "displayName": "Deny the creation of public IP", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json index 0bc870339..f871785fe 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Public-IP-On-NIC", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.", "displayName": "Deny network interfaces having a public IP associated", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json index 22eb65471..d9cacb333 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-RDP-From-Internet", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy denies any network security rule that allows RDP access from Internet.", "displayName": "RDP access from the Internet should be blocked", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json index ce36f684c..498ddea28 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Resource-Locations", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Specifies the allowed locations (regions) where Resources can be deployed.", "displayName": "Limit allowed locations for Resources", @@ -22,4 +22,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json index 83077e3f5..16fcc9008 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Resource-Types", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Specifies the Resource Types to deny deployment by policy.", "displayName": "Deny-Resource-Types", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json index bf27cdbbf..aa8bd7095 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-RSG-Locations", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed.", "displayName": "Limit allowed locations for Resource Groups", @@ -22,4 +22,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json index 7b7666cc7..e9e0964df 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Storage-http", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", "displayName": "Secure transfer to storage accounts should be enabled", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json index f9dae08e4..77114ced3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Subnet-Without-Nsg", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", "displayName": "Subnets should have a Network Security Group", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json index d00523458..2f39a7200 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-Subnet-Without-Udr", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy denies the creation of a subnet without a User-Defined Route to control traffic flow.", "displayName": "Subnets should have a User-Defined Route", @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json index 3a14cf900..8bc740f1a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deny-UnmanagedDisk", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "properties": { "description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields.", "displayName": "Deny virtual machines and virtual machine scale sets that do not use managed disk", @@ -21,4 +21,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json index ce3dadeb7..6855d8a9b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-AKS-Policy", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", @@ -19,4 +19,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json index 65e82db1b..cdadc945b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-ASC-Monitoring", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enable Monitoring in Microsoft Defender for Cloud.", "displayName": "Enable Monitoring in Microsoft Defender for Cloud", @@ -15,4 +15,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json index 31c874395..1ba7a583e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-AzActivity-Log", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.", "displayName": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace", @@ -22,4 +22,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json index e2c9c5ee5..9758b3efc 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-AzSqlDb-Auditing", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.", "displayName": "Configure SQL servers to have auditing enabled to Log Analytics workspace", @@ -22,4 +22,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json index b10cfbe91..42fe2e9f8 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-Log-Analytics", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Deploy-Log-Analytics.", "displayName": "Deploy-Log-Analytics", @@ -40,4 +40,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json index 5694a3e3f..6380846f4 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-LX-Arc-Monitoring", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Deploy-Linux-Arc-Monitoring.", "displayName": "Deploy-Linux-Arc-Monitoring", @@ -22,4 +22,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_md_endpoints_ama.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_md_endpoints_ama.tmpl.json index de68d6778..852fd9380 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_md_endpoints_ama.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_md_endpoints_ama.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-MDEndpointsAMA", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.", "displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json index a26342b20..2189151d0 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-MDEndpoints", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Deploy Microsoft Defender for Endpoint agent on applicable images.", "displayName": "[Preview]: Deploy Microsoft Defender for Endpoint agent", @@ -28,4 +28,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json index de6701907..f676e4b6b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-MDFC-Config-H224", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Deploy Microsoft Defender for Cloud configuration and Security Contacts", "displayName": "Deploy Microsoft Defender for Cloud configuration", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json index 75df01f29..8b5480f3e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-MDFC-OssDb", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.", "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases", @@ -15,4 +15,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json index 9fbbcc048..fbb632fc6 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-MDFC-DefSQL-AMA", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations).", "displayName": "Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json index 7672cf866..41ab7530f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-MDFC-SqlAtp", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.", "displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances", @@ -15,4 +15,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index b82a58e9d..4c76928f3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-Private-DNS-Zones", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", "displayName": "Configure Azure PaaS services to use private DNS zones", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json index 9a75e12ff..d46b9ce3c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-Diag-Logs", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.", "displayName": "Enable allLogs category group resource logging for supported resources to Log Analytics", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json index 2ada69535..673df975b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-SQL-DB-Auditing", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", "displayName": "Auditing on SQL server should be enabled", @@ -19,4 +19,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json index fb7ca3e43..af7d707ca 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-SQL-Security", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Deploy-SQL-Security.", "displayName": "Deploy-SQL-Security", @@ -19,4 +19,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json index fdf235a5a..8ff9da856 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-SQL-TDE", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy ensures that Transparent Data Encryption is enabled on SQL Servers.", "displayName": "Deploy TDE on SQL servers", @@ -15,4 +15,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json index b290550f1..7a8f35a33 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-SQL-Threat", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", "displayName": "Deploy Threat Detection on SQL servers", @@ -15,4 +15,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json index 3419a4d04..e89c15042 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-vmArc-ChangeTrack", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations.", "displayName": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json index 6f203b50e..9248147cc 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-vmHybr-Monitoring", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enable Azure Monitor for Hybrid Virtual Machines in the specified scope (Management group, Subscription or resource group).", "displayName": "Enable Azure Monitor for Hybrid Virtual Machines", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json index fb2f29562..d147583a3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-VM-Backup", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", @@ -19,4 +19,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json index 2a2469374..33723114f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-VM-ChangeTrack", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", "displayName": "Enable ChangeTracking and Inventory for virtual machines", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json index ca2c359f2..bafa57058 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-VM-Monitoring", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", "displayName": "Enable Azure Monitor for VMs", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json index 1bbaccb8d..55869e744 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-VMSS-ChangeTrack", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", "displayName": "Enable ChangeTracking and Inventory for virtual machine scale sets", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json index 3980c3448..d3e97457f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-VMSS-Monitoring", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json index 5ee6284d2..07cbcd4a6 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json @@ -1,7 +1,7 @@ { "name": "Deploy-WS-Arc-Monitoring", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", "displayName": "Deploy-Windows-Arc-Monitoring", @@ -22,4 +22,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json index 631e91477..3a2ad5f82 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json @@ -1,7 +1,7 @@ { "name": "Enable-DDoS-VNET", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", "displayName": "Virtual networks should be protected by Azure DDoS Protection Standard", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json index 1143ba51f..53f5a8b5a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json @@ -1,7 +1,7 @@ { "name": "Enforce-ACSB", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This initiative assignment enables Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines.", "displayName": "Enforce Azure Compute Security Baseline compliance auditing", @@ -15,4 +15,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json index af4b88795..f46e9249a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json @@ -1,7 +1,7 @@ { "name": "Enforce-ALZ-Decomm", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This initiative will help enforce and govern subscriptions that are placed within the decommissioned Management Group as part of your Subscription decommissioning process. See https://aka.ms/alz/policies for more information.", "displayName": "Enforce ALZ Decommissioned Guardrails", @@ -32,4 +32,4 @@ "identity": { "type": "SystemAssigned" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json index 856c5ec26..f06a5aeb8 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json @@ -1,7 +1,7 @@ { "name": "Enforce-ALZ-Sandbox", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This initiative will help enforce and govern subscriptions that are placed within the Sandobx Management Group. See https://aka.ms/alz/policies for more information.", "displayName": "Enforce ALZ Sandbox Guardrails", @@ -11,11 +11,11 @@ "value": [ "microsoft.network/expressroutecircuits", "microsoft.network/expressroutegateways", - "microsoft.network/expressrouteports", + "microsoft.network/expressrouteports", "microsoft.network/virtualwans", "microsoft.network/virtualhubs", "microsoft.network/vpngateways", - "microsoft.network/p2svpngateways", + "microsoft.network/p2svpngateways", "microsoft.network/vpnsites", "microsoft.network/virtualnetworkgateways" ] diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_aum_checkupdates.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_aum_checkupdates.tmpl.json index 5f925b340..1cb233bd1 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_aum_checkupdates.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_aum_checkupdates.tmpl.json @@ -1,7 +1,7 @@ { "name": "Enable-AUM-CheckUpdates", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json index f44d05700..18544ebdd 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json @@ -1,7 +1,7 @@ { "name": "Enforce-ASR", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This initiative assignment enables recommended ALZ guardrails for Azure Recovery Services.", "displayName": "Enforce enhanced recovery and backup policies", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json index 6017ba4a6..6efe25d36 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json @@ -1,7 +1,7 @@ { "name": "Enforce-GR-KeyVault", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "This initiative assignment enables recommended ALZ guardrails for Azure Key Vault.", "displayName": "Enforce recommended guardrails for Azure Key Vault", @@ -15,4 +15,4 @@ "identity": { "type": "None" } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json index 946ec701e..5d7525e22 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json @@ -1,7 +1,7 @@ { "name": "Enforce-Sovereign-Conf", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies", "displayName": "[Preview]: Sovereignty Baseline - Confidential Policies", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json index 260d95197..b37cd9a34 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json @@ -1,7 +1,7 @@ { "name": "Enforce-Sovereign-Global", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "The Microsoft Cloud for Sovereignty recommends global policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies", "displayName": "[Preview]: Sovereignty Baseline - Global Policies", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json index 351a3e5cb..8f5504450 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json @@ -1,7 +1,7 @@ { "name": "Enforce-TLS-SSL-H224", "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2024-04-01", "properties": { "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", From 8051f6808db8c662846d7258d367904021aec489 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 20 Jun 2024 00:16:17 -0500 Subject: [PATCH 44/50] Added policy assignment to block deletion of UAMI --- .../alzDefaultPolicyAssignments.bicep | 31 ++++++++++++++++++- ...assignment_es_deny_deleteuamiama.tmlp.json | 29 +++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_deleteuamiama.tmlp.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 8c26656c0..f161c6681 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -132,6 +132,8 @@ var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceRe var varLogAnalyticsWorkspaceSubscription = split(parLogAnalyticsWorkspaceResourceId, '/')[2] +var varUserAssignedManagedIdentityResourceName = split(parUserAssignedManagedIdentityResourceId, '/')[8] + // Customer Usage Attribution Id Telemetry var varCuaid = '98cef979-5a6b-403b-83c7-10c8f04ac9a2' @@ -170,7 +172,8 @@ var varModuleDeploymentNames = { modPolicyAssignmentPlatformDeployVmArcMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmArcMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentPlatformDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcDefSqlAma-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDeleteUamiAma-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformDenyDeleteUamiAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deny-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -444,6 +447,12 @@ var varPolicyAssignmentDeployMdfcDefSqlAma = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json') } +var varPolicyAssignmentDenyDeleteUamiAma = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_deleteuamiama.tmlp.json') +} + + var varPolicyAssignmentEnableDDoSVNET = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json') @@ -1095,6 +1104,26 @@ module modPolicyAssignmentPlatformDeployMdfcDefSqlAma '../../../policy/assignmen } } +module modPolicyAssignmentPlatformDenyDeleteUamiAma '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDeleteUamiAma.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformDenyDeleteUamiAma + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyDeleteUamiAma.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyDeleteUamiAma.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyDeleteUamiAma.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyDeleteUamiAma.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyDeleteUamiAma.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyDeleteUamiAma.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyDeleteUamiAma.libDefinition.properties.enforcementMode + parPolicyAssignmentParameterOverrides: { + resourceName: { + value: varUserAssignedManagedIdentityResourceName + } + } + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Deploy-VMSS-Monitor-24 module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmssMonitor.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_deleteuamiama.tmlp.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_deleteuamiama.tmlp.json new file mode 100644 index 000000000..a6f64536e --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_deleteuamiama.tmlp.json @@ -0,0 +1,29 @@ +{ + "name": "DenyAction-DeleteUAMIAMA", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2024-04-01", + "properties": { + "description": "This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect.", + "displayName": "Do not allow deletion of the User Assigned Managed Identity used by AMA", + "notScopes": [], + "parameters": { + "effect": { + "value": "DenyAction" + }, + "resourceName": { + "value": "alz-umi-identity" + }, + "resourceType": { + "value": "Microsoft.ManagedIdentity/userAssignedIdentities" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources", + "scope": "${current_scope_resource_id}", + "enforcementMode": "Default" + + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} From a8d42a8f59ad340731063d2767b66619e37c7a32 Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 20 Jun 2024 08:01:49 +0000 Subject: [PATCH 45/50] Update Policy Library (automated) --- .../_policyAssignmentsBicepInput.txt | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index 8fec0f24a..266c9a91b 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -53,6 +53,11 @@ var varPolicyAssignmentDenyDataBVnet = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json') } +var varPolicyAssignmentDenyActionDeleteUAMIAMA = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_deleteuamiama.tmlp.json') +} + var varPolicyAssignmentEnforceAKSHTTPS = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json') @@ -233,7 +238,7 @@ var varPolicyAssignmentDeployvmArcChangeTrack = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_changetrack.tmpl.json') } -var varPolicyAssignmentDeployvmHybrMonitor24 = { +var varPolicyAssignmentDeployvmHybrMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json') } @@ -248,7 +253,7 @@ var varPolicyAssignmentDeployVMChangeTrack = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json') } -var varPolicyAssignmentDeployVMMonitor24 = { +var varPolicyAssignmentDeployVMMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json') } @@ -258,7 +263,7 @@ var varPolicyAssignmentDeployVMSSChangeTrack = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json') } -var varPolicyAssignmentDeployVMSSMonitor24 = { +var varPolicyAssignmentDeployVMSSMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json') } From 37b01dd0c0c0ebd8bc44211fb5e486eb8e91d0b2 Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Thu, 20 Jun 2024 10:33:04 +0100 Subject: [PATCH 46/50] update to align to .txt file output --- .../alzDefaultPolicyAssignments.bicep | 29 +++++++++---------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index f161c6681..bc2c69d80 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -173,7 +173,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentPlatformDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDeleteUamiAma-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentPlatformDenyDeleteUamiAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deny-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformDenyDeleteUAMIAMA: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deny-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -447,12 +447,11 @@ var varPolicyAssignmentDeployMdfcDefSqlAma = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sql-ama.tmpl.json') } -var varPolicyAssignmentDenyDeleteUamiAma = { - definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources' - libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_deleteuamiama.tmlp.json') +var varPolicyAssignmentDenyActionDeleteUAMIAMA = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_deleteuamiama.tmlp.json') } - var varPolicyAssignmentEnableDDoSVNET = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json') @@ -1104,17 +1103,17 @@ module modPolicyAssignmentPlatformDeployMdfcDefSqlAma '../../../policy/assignmen } } -module modPolicyAssignmentPlatformDenyDeleteUamiAma '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDeleteUamiAma.libDefinition.name)) { +module modPolicyAssignmentPlatformDenyDeleteUAMIAMA '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyActionDeleteUAMIAMA.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) - name: varModuleDeploymentNames.modPolicyAssignmentPlatformDenyDeleteUamiAma - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyDeleteUamiAma.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenyDeleteUamiAma.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyDeleteUamiAma.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyDeleteUamiAma.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyDeleteUamiAma.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyDeleteUamiAma.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyDeleteUamiAma.libDefinition.properties.enforcementMode + name: varModuleDeploymentNames.modPolicyAssignmentPlatformDenyDeleteUAMIAMA + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyActionDeleteUAMIAMA.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyActionDeleteUAMIAMA.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyActionDeleteUAMIAMA.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyActionDeleteUAMIAMA.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyActionDeleteUAMIAMA.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyActionDeleteUAMIAMA.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyActionDeleteUAMIAMA.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { resourceName: { value: varUserAssignedManagedIdentityResourceName From bd7c8faaf4dd7d1e32fb8b0f1121ac620fd5745b Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Thu, 20 Jun 2024 11:12:33 +0100 Subject: [PATCH 47/50] output typo --- infra-as-code/bicep/modules/logging/logging.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index a8dbea99b..703f01016 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -686,7 +686,7 @@ output outDataCollectionRuleVMInsightsName string = resDataCollectionRuleVMInsig output outDataCollectionRuleVMInsightsId string = resDataCollectionRuleVMInsights.id output outDataCollectionRuleChangeTrackingName string = resDataCollectionRuleChangeTracking.name -output outDataCollectionRuleChangeTrackingId string = resDataCollectionRuleVMInsights.id +output outDataCollectionRuleChangeTrackingId string = resDataCollectionRuleChangeTracking.id output outDataCollectionRuleMDFCSQLName string = resDataCollectionRuleMDFCSQL.name output outDataCollectionRuleMDFCSQLId string = resDataCollectionRuleMDFCSQL.id From fdc813a37259abee985c8438a75abc9e03b5c736 Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Thu, 20 Jun 2024 11:16:08 +0100 Subject: [PATCH 48/50] add outputs for UAMI --- infra-as-code/bicep/modules/logging/logging.bicep | 3 +++ 1 file changed, 3 insertions(+) diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 703f01016..640dd0a96 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -682,6 +682,9 @@ module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdRes params: {} } +output outUserAssignedManagedIdentityId string = resUserAssignedManagedIdentity.id +output outUserAssignedManagedIdentityPrincipalId string = resUserAssignedManagedIdentity.properties.principalId + output outDataCollectionRuleVMInsightsName string = resDataCollectionRuleVMInsights.name output outDataCollectionRuleVMInsightsId string = resDataCollectionRuleVMInsights.id From 10c721774c334be16c5cf26daa73b8568eb20102 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 20 Jun 2024 10:20:48 +0000 Subject: [PATCH 49/50] Generate Parameter Markdowns [jtracey93/56e2292c] --- .../bicep/modules/logging/generateddocs/logging.bicep.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 3806e2884..150aa0551 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -311,6 +311,8 @@ Set Parameter to true to Opt-out of deployment telemetry Name | Type | Description ---- | ---- | ----------- +outUserAssignedManagedIdentityId | string | +outUserAssignedManagedIdentityPrincipalId | string | outDataCollectionRuleVMInsightsName | string | outDataCollectionRuleVMInsightsId | string | outDataCollectionRuleChangeTrackingName | string | From 0bec879465744c22fefc9e1288b90a8e8de139a5 Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Thu, 20 Jun 2024 11:56:12 +0100 Subject: [PATCH 50/50] align to txt file --- .../alzDefaultPolicyAssignments.bicep | 106 +++++++++--------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index bc2c69d80..b3398e619 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -427,17 +427,17 @@ var varPolicyAssignmentDeployVmssChangeTrack = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json') } -var varPolicyAssignmentDeployVmArcMonitor= { +var varPolicyAssignmentDeployvmHybrMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json') } -var varPolicyAssignmentDeployVmMonitor = { +var varPolicyAssignmentDeployVMMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json') } -var varPolicyAssignmentDeployVmssMonitor = { +var varPolicyAssignmentDeployVMSSMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json') } @@ -1012,18 +1012,18 @@ module modPolicyAssignmentPlatformDeployVmssChangeTrack '../../../policy/assignm } } -// Module - Policy Assignment - Deploy-vmHybr-Monitor-24 -module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmArcMonitor.libDefinition.name)) { +// Module - Policy Assignment - Deploy-vmHybr-Monitoring +module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmArcMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmArcMonitor.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVmArcMonitor.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmArcMonitor.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployvmHybrMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleVMInsightsResourceId @@ -1039,17 +1039,17 @@ module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignment } // Module - Policy Assignment - Deploy-VM-Monitor-24 -module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmMonitor.libDefinition.name)) { +module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmMonitor.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVmMonitor.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmMonitor.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleVMInsightsResourceId @@ -1124,17 +1124,17 @@ module modPolicyAssignmentPlatformDenyDeleteUAMIAMA '../../../policy/assignments } // Module - Policy Assignment - Deploy-VMSS-Monitor-24 -module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmssMonitor.libDefinition.name)) { +module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmssMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmssMonitor.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVmssMonitor.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmssMonitor.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleChangeTrackingResourceId @@ -1706,18 +1706,18 @@ module modPolicyAssignmentLzsDeployVmssChangeTrack '../../../policy/assignments/ } } -// Module - Policy Assignment - Deploy-vmHybr-Monitor-24 -module modPolicyAssignmentLzsDeployVmArcMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmArcMonitor.libDefinition.name)) { +// Module - Policy Assignment - Deploy-vmHybr-Monitoring +module modPolicyAssignmentLzsDeployVmArcMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmArcMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmArcMonitor.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVmArcMonitor.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmArcMonitor.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmArcMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployvmHybrMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployvmHybrMonitoring.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleVMInsightsResourceId @@ -1733,17 +1733,17 @@ module modPolicyAssignmentLzsDeployVmArcMonitor '../../../policy/assignments/pol } // Module - Policy Assignment - Deploy-VM-Monitor-24 -module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmMonitor.libDefinition.name)) { +module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmMonitor.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVmMonitor.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVmMonitor.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmMonitor.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleVMInsightsResourceId @@ -1764,17 +1764,17 @@ module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policy } // Module - Policy Assignment - Deploy-VMSS-Monitor-24 -module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVmssMonitor.libDefinition.name)) { +module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmssMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmssMonitor.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVmssMonitor.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmssMonitor.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVmssMonitor.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleChangeTrackingResourceId

6uEg5EDalRY@XCGTVJRB%KM&!;@e&JzVz=OpY4o4(mt_qq)weqg9mKg z;go)_Pa^rjT-e=)v*HyB+EyrCwn!z~>-y!uHRoz2Bqs9GhQZ<>SPm`$kn-2AC2?~naTPpnQO=iKb>BY>pNf5V#7IvBnEv z;9=R>01gYS?_FbIP$&oxe9YnnU@MrMd4So}y5vKstN?o0Ku-a5+lQrOW9$u|VD;-K zLU$pN7C=6d3MA^sCRurzkJ1e^&^W&8Gc=UB@fGePf#h07$3N(*Ft{SW=7vobSpUwsDoeK+eudbH6jwsp(JPk&Iz zvUJ{k;`fP&wH+!5C40$b4VDJM@>5dsmf~tqZ^XyolU^dSm=pj-5#^%5*-&YnpIMkE zKq$r!Xg|w*$X%)kE6}QU382>)y2%xf!DnUmtAjPuO;3TRv5hz%!$~yrm>cC70#dbB zy4)(iPW&*jQlbZxIStv3Bdg~tlSz?rODdB$v}QQoD_g@e!)al>rIW{p(ED#3fWV=K z$Gz(x9%r0G8oaxJ5T1>Ep$426w+Ltc3G2OlV-bt)>@$KHYMev}RyEuB>5l(9H>;A7 z#Kc7Kul-Z|G+~`qZkZEPjppcuUp6pJ2yfca<0zF0GprKdcrO$9e{}=pI_Vg>V08|% z?r&X&1rD`6~w zRs(YF0OWk|^8LxRn_PK?4BP0F71wtzI#BUg7pXlUfAE_}^_%&$s#2 z1niOt2bUvyB?t2a;B_Eq*aoZKj*aR6B*FIsiB+0rg;j4VNSOY*-LJ$26oAM;8!hnV zS-x0Wy7P3h`NWawWT3ca@*Q0&r|rnKozF}qKLVsxCfEho_GF-dEmMZDFUOX2T?u4vReiM=b!zh9Z#( zub7)`dz2x8_YWulm(HXJ+^k}8Ya6+>=H)Os27kM}?z3a3y0$VYOWvp^u6lk)S7$nW zi;&22x+J3bYpA-f4>BfS=-B$-PKD-(4Z(p5*YT3ivFZZyN?Yg_u+ayI(m4Br|W@0$t{uPiR?_{J0*_gB+lwH@r1R-kN#Eb<+;1;udL3IF;f!-8{=f- z6SPygW-}R>r~$stNJA5-E2koMtsp-G7r&Suj;*bV!wOT<#< zu?o$S(E6nHJZO*F(hGMfqn{g}lAinEwT;W&n0GS0+q{M$UsbK#tC@-|A^ShF88iyc zegIWO6OB=Z-Er5aFZKs*QeU#ydO3)w@3d11)wj2EOG+|q$lSK5|2OUMIj+D*IFj2k zG8+DT?PlH}XK6)cwyVkD$;RO(7DMjivD1Y9UmNCBXlzb=mm^jI&7JMaY_Q%NapV<3 zhPG5k2UNTDJG2Uxv6=s{=?{0SVq<5YhDhmU5$>o{AV-AEi5sj!<=8HqlaiDyg<4}j zF8=jld-8Hq!0lixR^}viBU#GR`oqMJw`t1;EWKS|N-*9A{wz$64dg~xV0QO_ErIJZ z^bS-M2lWHJL0=Wz;ZOCr+0ohg#7zY(NhWs>+o`r(VVZ$`lsSI(8=_z=g8ZSOF*nH!qX=;1Rf5n452eIXZ&l8&{$iZ;7Jib1kEJ8_X~<_gAyBL3={TFtF*C z|H7Pjq%JEYgs7C5L3x0nm9(hfinKJ-PO%5`H#wvw5F}Wt*nOD;lkNqI@Cc+-EAdUFZ;6)>Z3c(`5ItF&eJk*zPTv&e&I(( zy-aq+w=uD?DWr*blINl3DJhk^Z?F-FC7!Q_66hOkBI?w8WuU#QD^SJ+ zD-T*O_jm~K0OIg`CyX>0R<-u1ReUVVf1OfzDz8b%_?Q{@qkc~{-lLgH-!L1jvnp~Y z*0YWFY=^F>bkT;qIXaGk$VD;cKv`UwXf(RiqU!^&up8}Bkeu|BT~k(|g$D)G23Z`@ z6@vVbZ=_+9pHfp(1-zyj&fZiI%Bh8|u|OC$G}m*c;)+}HE1DP)bbkLHJSfkSq4{;P zKEAUIE|=f+^84-&XWtdFk*pwX0(6LCx7{CaMPRMos4&QQO9~27rm!S}ILP+}$o~~2 z+p3J>!(9q9p{IXkOw4*!bFZl}J$hfVsMzmHeODDk3@x5;YxR!q|7btAH@_*b5$P2p4J!at*{ZY8VYH6Au6 zzU`CsAhbJ6N(uEPy0_Mbvlxi1gX@PYBi1SgJ zW(x4N&wxkIR5ZgMdz`D)BdgnBND9vKE(^L$N$(?fs6!xQM5c!%scR75h9G>9iUnVs zN`gpX6-hNljyo2(cbp$qmsXRJBixLS(E6SiHcy1}o0rm_4xb5~3MQ{4Be;Bo zQ}+tkPZM~dB|#s&3vUKUDZ07mI^Rcs_`v=1+GBx$sV)Iu-Sh9Eo&Q975^dQTk87E> zgt<3f0?h!BAgR=aI&WCN8)^k?gs?|!5ETrh%7+1VIjqzwFa}N_`xP!A$pz~KBje-C zp`{G?SwN8lMgB9u;@41>q(?mfBdSb_3a4TMrs$}WzkEo)bzh@c&H)keCY)D)@ zUFR{|@)Ksk06m4HP+|hlI~TYFb||SaYC||WMBl4nDJ3mws?VOukpDY!F4h3EZU#L$ z-q*xAZyiYpX-EA6t!SyK{b>-o{W8O&rKXpjE%xsGu1v{B(K_miAT6_Zt#_ESpo(X!h_wlkFl|7{nikc7<`_t;a_FTof-)Tp=;^cGWraVoc>}f?AJzQ zT%;$fwY!!op(|fhIZF`*>3Nv>QTgiVo70TZ?~1ItX5uCu`y594M%a`%KSW;2$**qJ zv^g}2!UpA{XJu0;oc_X;2SNvmyO2~-M6v}|5EvtVTHQnf!;C8Q-`;<(oUZxR5vSMv zU~2&!kIN!>T2IJh&v3|tW%}L8VbK9wBvB0~7gu^lhS`~HwFD8BuMh8YP&qg_{51Y- ztGE1O0NO0WED#&|wG1VKY`t%8BwoqQoroqDYLbj0SkbSBT z!`<;LmC1tjqHoGQOco#}RgjablijK2&CJVd(dvoS;cej-+st87Xt1#0C`Ejz?bX$i z@fv!1VFyqfTtBCI*15tQa(u}^w}Ij{rv_(x)OOXZ&rpgepNpI>)j=EM1YfYEb^5t6 zWtVLVGyJ>6r~8*|4zh&Lw=FN*{sf|7z9Uz_*38Uo_@)9w(5;cW{W^mJR`SWJ9)fLH z)6C7u8R%xp!o@`}+Mp?Rlh-`f#KdIJVCd#;hjp6xSDsI-h2EI%otveBA0p{L&DVtt z)Xwx}$~P*fUy7^KmNJsP+>Td#&W{;%^ii7MYufcWSd&;9F3`D97f8Vc8#Qs52vmtR zaQzsR>u^(3B8~i-mq-QYFU2w=uaa#d7&hh~F= zIo+W`Nqt~x>A&g7Uos|!llFcD(D^q`10GFe*zU*DG!KmGsa+pE?$g(DWg57iaKn9g zW}u_*pgywRtl}+EswXs|wF{}HwQWCL4|9k>PfMz`Oh{fPT3xf9pb6<4z{oyY+`c-Mcb!UP<3++)hrvcU5 zN#74@`idERv!7zuuJ^V{P)M=ww}$$LDh0^0aslJGyn6O7cPysG(9m%CjMQz^3Hufk z6H~nTuGThaH%w@9GO^+!GYboCBKUYiuj7sR4G4$Ww4RU_z&u|y)XG)BX1!NM2H1oT zt%#6Bp+PNGQc>Q}Kq2wY7Wbk?+ZtJ=>ET-fTb?5}=jLTaP9L2o;zKukJ~l5}MYPOQ zCmEj+wx!gvL>n(zedoosr47U3((ybgSXxuvy$xlmUJkkw9|3Ltk9&(A{ZoHY*n_q@ zVY--|Sk5VP*uYg=ktb^9|+9ceA!Q3z*5}MHz3Sqg5b)rqXzV;zs|kvK}4g6w67qCJ^eD zd3!IWg9Vd$^d;QQ-8}RlaL{Mpc#oNxe6n5f*vBX1``VgL$zyv%jB3Pl$`D9SH68Pd zzCv7~NJ5lK&jQjcAxMe%{o6EGD_i|40|P_(W8g1SN%d87cuhj>npaxRu5gti7LTX* zZLvrBhgD^P`OYlBoDiFs!pYG0NPrr-xI(Y@m3z3{&Af`a^{J6AmG>Xt??GOxf4EaF z?mEu>Rfgz}XU{MnKNj`g)`tpClMpv!e6!j~2#{`z3#b?OrkZw z?BlY%jV0A*;(;!$0ej3o`7L`ha4A4~NPFpjxG%u>v?2hjHCJ>=dW^rjfc zftdn78l>^WN^Mt1i`@q3Kb9RluFwJrOEPkg*U)$K&eBAGkfFXyAq5TfKVL>JuSxkK z;ViGAp3ma8@Ziafb?>WiCK_t@`cDIYU=D7bSvWPEQ~38Ac+XN_L;bcFp&he+IPp~f zZ!yXt2M+%f3Y7bv-g`we;Y&e-<9ntcrib)N5TT#aG}v>=5^`}+-2=GgqQh%5en17c zWTXa2IXF1>4tKL`h=3;4f0M==d7u!Kxg(UObdNI6C zW7QFfp;qef;iAJDncdOe>8jHH@6_VkdKa^#lYmLH2-h{^VaPm=;H@se1&&YwH?d$uYNwlW*;SOA`KDehMeFD~2Hn=FFDmc1Wt zIe1m9&fdjq9n{pN+L-pA6s_HOT%Zv3j(eUJYnBXsIXISPU^^Gsbrcn+e>U^6RGvjp z84xPq<{AFdkf))MFx1}!RqSrurK>3CvWMTxd0O6|c{ zPvlQ9q|YagEsj?d56F6M!(Vx9;h42BOJD69{SD90 z_L%k|A`OiJ>jeJG^uD)WU7#v-hR{7b zJ3G*{!Y1Le98wA;M8}hmaW)XQP&Iv2L^I0&(fKH`l z+5y5w6gk)-8GfyFE5#G^*MCeen1?n=+>~=+F*(lt(uH+2|M9)B1A9JOW;VK)WjlA?H_G|6})8{jtVWA1$rd^t4W4GMW*V}?mGYTQGe)O~D+OPKoiwUQ8XtL`Ai;`)My+IDbjt)qmf8Gic4{6T<1rE zkd#{UD`L(BZYQU9dj3l3{F9B}%`k}BmKKHlf26&4JeU9eKQ76LvI>#CA~QlsQk2lP zNA}1Fk(4b&R+LdhDy59QqatfEl1-~H12e7@&=zQ5n?_WOLl|DE^gygRS! zx}M|lc-)ur!}ssc9?VgxXs54xhZc;Q+T$Y|86Y*oYsI+%+}qU6>Ys;p{?MIWaPWF- z{Xm3jVLGVgp3#rg0@BW>#zMToKLCC!9KM2y*^gDf3+*EvKYXtC-hW&66fzHb9nQsa z_qsgO5V<`O27X+PO(%7;(L|5j!;-k-I8C-L?-{ORd0l^U!1vsOZ4jWu!ncpWgb zfU@fejvG$?QAU91bjm3Z*`_Z8^q z!BfgxjJSR4)@dW7rYEUqFJK{oO@&2*-~mD-i+QQZ0XI{4MuDXHXKwB*)5}U~@iNF} zDw}3Er)e_L!-K4))XE+N*f3ZzzD zD_&sYy0lwdyrrRGc;qul6P?oFX>iJKog(bmi)$RR{|;cytD2g=e|UC|@{O+7+mP^Z z7*t!fGlY;msiKkjtapor;9BN9hMb zYrWi`3s~08y{&xVJ^1R{Q$8^jt`zG+N*AoL^&rD$M)TqKN)`isiW=rhixa< zx!3@2_cxB6R4<2Y{St2M>(}Q>T1UTF)b*lW^KwSrhG*r&?WSZ37x%vTt!^E&E*1gp=S%{^wl{4yCsC~()l-gmph-&hsfl9+QX|As>s z-Qg%=92`sPN5Y1@*9eCc{@C$;gBt18-K{J>IjTHS+1H+koOz}x!2us3FuV{s$`+bE zyx6%bXS1T+0}&L!&y`eBLWf)lKF3S`0EP+sX&E zhafH)Klifd+E{9?;MDI6o}JHEe$5*t%sh3;D_k*Yz3v^NKb>@_dW(h>A966UJf5Ds zU-e+*`F<+TxM!OH2>DhPgwt*$97o1hJVAU!$ zaf825PKu{sc5bdl`qFVlMMdd>d*hQnwq^}e+XPy-pS}JhzvB(>?%mWviXNO)5#)=5 zE?P1TPqy6Q*9|ymAW$gUBw;|*ib>3tR21ZXqpY>!hW3x9(5E)-lRi#YW%LM>ba-;SJnCvWnOxKR# zC-vi!lyv@-f59efOHFO<_$QeE&oVN4@O6It#qq7f4&12!cd)2WSf!scE*YPt}NVQp$&^ zgMZ$#oeXz0P{^EJSbTV;ruoViZP{IeQsR`#R*RXoa%r$CfDI!j6zcBdc6asp4<7Ue z{yKfBr|g1nB%wp%IOs_^)ug4j6;``P@6`NVzLZ127P&8b8#wE*-o`uwDtDHikGaqKGiAzcG?p^>LIs8Y4@s#i8z4A4@OyMDEpo2WGM z@LNOp=O7?vTF+qdBx47|dw6=}>UBka|HXQTFecAEpku5zG&R*CSeSj|nTr#Rv&7vU zX%?bQJ9aXn{)_siq4!?H#?5prNMXm*zFEDz&wJBvN%IHX-AHi)Q~swEG5j<+2_EAg z_IbB6-+B@t;X`-jZ!4LPDfWTEh15ZH*_-AX9?$M`g^?0M6MVJk{$=fFOTY3fHx)F; zS`!i|_;vR)mwS}?=$xJ{e;S+=juP~~{FUZp#q!s$Id&}K26ZPcYO0fDX*lH;aeIRP zJ3crF`6!U~VtA<)=(9603?X0jva{-$ap$)!tR1tR;)6OKL+o_hTm^I!_LBrCT3v(ES2rFm-an_}VM z@RwuH{vfnIy1MhVvRUbahLG=4yVZ5u_zTx!xN|ax?ku*@M873&GfeLnn9s%|oE3tN z$BrTn$~}ReTgKQP^73WB+ZjbYEWM4M-fuW0fIdXjDylkV_Xmi_`L4a|?Gm7=&S>ao>h4HkK59ehi`Q?C&<#ysoF)9$jrX zUwilV?d#Wlr8(P4VohSd7K4YHKKzcW`|U{UcN~0eG$EO4sfT}uJ8;)zJ$u%6*`&in z9EZPh(m6{ir@3EIPpzrH3iv$bQF3KpKjpJfSooc8T|Rr!Ujntm`-Td~Ps4y$Xh%Cz z<$1{39Ec8O^kFWa+v;;Y&gJYM9Y?NH+uj#7(u{o&;B~p>+jM#r%a6dFEseN2q2K>D zF|j*J_0~m`Se;mm+$qS(7Z(;(l$AlbybLBWsb2-^ESPxWbY~7xj<3{|W_e|4WyOJ1fpqf=>Gcfx{n@5R5IrEw%gYPn zYt6G~{k>7r`fsC(8GQ>Xq)`fJ%3y*r7Milgl;u9o&UOOU4f(?4qKS>oDBe?dW)D0u zF>7o}pi`c_f7+y&PmV>?LjC7~C0MUNkOuf4CfAKND+G?)0ElRHWJz0?w~6 zB{LCrV|uDnY`9gu%UQMCUH_V(in3P6_c9ZaJ<^_x8dLHqWZ5%GJq9 z!fxZ#=3|>>s|u-UnHU&IU)ILD#X{22@3Y2!&f zsI+|ztbHpNzc*zG6s|8TpOw<7Hd*BmqZO0><%JnQE5VeTe^OONf+!4vsj{(1j!ICd zA#EG8nW(bayPeK7dS;=%6zcTz8xrGhb@50XxffR5!Bt^yvb`E)SBE144Gad=5|os8 z0|*fH{qe^iyEgApjt6PuAekcNw24fk3Dus5SA6T?VfHvSdviN*6~10ol{RkSHV*C~ zOmgTRo1THW8n8q#CUwn1zpx5PjZ21R-J0WVJ^YLMP4+&fJPhmoNoWm@kx^3T?67R^bJtIAeZB$fVKgBe32uS-Ypoihsb4%mRWg6qvw8CcHLFhJR}j^j{^nzR^zfm-PAuSl8)?>^ zS%AUe#%T`LWZE57J~)&l%Q)Q2y4tSw9K1#{5_Ey{9zS~a2}l=%zH;f(9=k`hrO&mD zja!-~`c^!^D+b?C9&F~-usS7mO)}0c5AEB65$=D0D6g>nC&*_$GKDjFE#MCfJW)DFJO}}GDh~L`u;E^y_Y^$QT7~thzVgCuD z#U`;$jIiv*6*&)2MC=pTAs2#w&>?^($g1pTEnC`KH^upZjq^LbjC+MZhxiHpdd1<% zPQuLzRoP6{R&q~zL!PpAYlHiQh}%6mXn12Bwcr9SG&6eEij!_LB=;*6O_;m%<$Q6Y z=)b(kzGh7Lebr+B+sEdByFE)T*kUy(HE8tnQ6egc%$I#7o(sPSEp+k|BtHjnm@MOy zNp29YA3s5CxgBy|nA962gG@s_WGbrm zcR5s&akvpIi{_sOGjL`YeHSsuc>F_l3wvx_9IwQii0nmT7ru!%*(Vp>3Qj0*ZjBp# zV6F^~;YQq{VEME^eF1Oit76T)!ZDjE7`=GdM`UfAiB6o*1c^YuIg61ccW}g!bym|k zkUo{)t`mV&ERQpi`lUxEn{_a(x6x~y*LT~oi?pPP6#wM=@}1N3C5Ky+IHPKjBli{h z)&0zmGBU!1)L}gYydE|mPugrCijo1=D^{^%mpVKKQ3HQQ9g5tC%Psfi5nTKo(rj!@ z8!oj;ElIef*Aw>t@S(Vb(zCAl9FCTW;Mk46Pz=fsF^^~3oyF# zjj+4PQPCjVw5d{^@Q%tJ|EOaeXs6=w;YMKK{exbtuPP11^z$h{2i~q0h86KqclV;K z$dkT#eMIic+_=_nE)f~R+F|t1n|xjkXVRCnYy+3BzDUzf#{o5ij757KE1?6brZkHI z@-^PQ;K?9Npqh#_)QLp=d|B|D0yv+KBo2D#*pYuTWSJgq<6ZqO0&3X`;pJdd5@1Y5 zaTRJ2iK!c$-X?!^1_YgTVJMyqhZj@-D^pK=!K7{spkf56!PzP-GV*0X!B>JP9K5xi zSYfL6ue{n>nJz>a>91zco&=EkNP^9DSXvCr4NTcrdLr!!|+l>KG? z=WzU?Z^8ReSciGvs;g41K9E77T&U{3F1I=gYGVY);V-+}lD{7|%(46H8tgVV>B(wsnx8 zxcPXsIJT(&*v=Z|LuVZz+4a&9UI12|G1JV)Db5jBSR$yKLPEzMct}mdtp>JFC=)v~ zdtEPELAO6SLl+el1-}O^IIbbjyAr+RYMr~QSd3cE{!*`ZofKqbI~A@;BkYzqdmteX znu!9}tz#1=RoN5<1fd7CmeLOLE-@41u8jtVjP>?Fw+f4!M~sD(vG(YcRs_K&t4%Fv$8GzYkmbcyMRt?f9Wo=Y(5YA)1_#ef-0?VMPgR9?;nI9Gpo<4%Xn<~EzH z?E9-ZDe@q@hz&h+hrePkpMq!2l_)mvYqlZXP7}**J%VxeY~p$^&t)Ysbxa+gFBr_K z94F^D`+h<%ce8m|-lGQal*q-&xq`TZ1Pv?U(LuC3VPP~QN5IfC_V`|a@=XEJrs{gC{5_jNWT))oX=%0ya$9n^DhkWcVMcke*3}r_mur ztmCCLb}AgFECs z;1dtEC+G$ev_UG9qm_m5R$+h_&rOL2rolTuVLj4UdL^>=;MjxQFL0>RgV2A1b1g@% zhIsL4Hsfm?1H5jmAh~3-fD?IVrUe7~jr$n>Ln@`7{&8sSZCzc+Iu5XZvrVD$&{^je@dXG`PK1sohyk7vH!Icht}M~Lq9~FkD8*~dDk#+Lf)>S$H2to z2FD@`CrWR+{EYLj^f8>`Ji-@-pKdL59snqmVB5(qyknXxCl79>=Qm^e`4Ku6JuWhI z*ZVF7e9gw%!3iI%+{KksWBfQ7>;zByTDO#v64qz@>D7)+clhILjrm3zPx^YBke7OY zew`bTxiyb|=R=AwOYt=ac~-2aMyd-ng|)Di7)&3(_cWt6*VPZVB2i*z(Xjs=d4dEmQwwCrHEe*bVBx(n=dP=)|^0s4gQ ztnKVW53h^p!@9B|h{lA|80<GSDGT-kkJ#}Diyh&^H%QE!i7WILAm%~DW!xEcuf}E*qnmFh-^G}yDyp1CW&X-%I zub2876K?v1(R)C(s4SkNPAFIrNRmP2(Hae&fz@ zABas7hQ6?r+^3;QHV-xBZ0$uO*VB5Juy?(g1~mMV{*1mZuRXLe(XeO-0h|3GdwQnV z+A051aZi2y&42dFVbVvtuu^jP%CgJcdz*`=ysU4P6dLb`zZ57B16>op7VN6eta;cy z$vHIbrus)|XKWWS6%taXv*IdHj=kYTd3?uN33y<&1|Hb9AU;md%&n{}e8ZEGz85`t z_c{7HVT zHVBvFUFD4_0@3GUqaXRiZZbDeRgbbXXDZ(d#OqUNEv~?z`(0x1wW_lw7j8uCQYVS_ z`qGBZLdh(Yl2L*8*)fSQQP58cQ*!}ClTmEBA*)3(dCVm2vScNL0f>%fs{|!9jG&!X zkrG@AaCz1Z7YI%Q7!vDNWa~zl(%f`K*A}XEI@7l%8!vu5Mb7-`F9UK(a6a6zOlRs& z_0!Fd?-wO>Ipd7&wiJKNW`Zd(gcRf<(25~eL+g+y$>ec40^C{D&R$_d26KiPcfqwhdxya%j4)LWfd2~pi&w19g zRxU0s-5CdQCEjo#?-w_Ja74uRu84{C8CvVmv8}@Ds9CSbX~|FzG;%6>H*WJLV2(XO zw44zx`P%7PyS8CW{6`!p!$))&V+4?}=A#kWis$3u{Xv@4Kesl!;4ZLVK#+Zd+I zw)4>B*2CI`mv<`clso13S5&z+c!WN+O#xjw|@7 z|6?>8OnyIO`1g~Mrkt`r{OLpSr*kh}l+Q#~el3hm_UKrXL#;HC zC;#;6?rk@3-JbzKRlj{Z6N<<)Xv$7U;?N!0P+}HoaGZ}}CCg%u9-w2psfmdOVZX>o z+Vr>D^QGBHVoNh^Ib$lcwu8Fyp^GkQYmkxn#&ze&d)NK_vzY{1N#>TvN%m&ne5FcK z>YLhi+TLD7!z^x%L}c&}rH5at&GmvVOL;dV2J#1c1O$QhF zq|_m%HAY9lW#p;g((t$xBArW8%bZ)%FgYIE_oZfbV|XzHO8AN-uVod%#()^ zLh4;okHSz{J{rLeOgHd#zDdq9h7B9PLIf1`y;_2zyplTSGA1fDDA|dK_5M+SKt9+j zik_6cXZ1)0eXZc|IKYI&q*d6yunPPOS%X3-?@Y$L0xYQ*f26*ecfx=n% z?`~N4LjVIP);|Qe(Q4gTYQpbk&z0QD?XuV3zs}`bPFP#yEE(PB@~mRmhdGb(;jwk1 zjfiDPg%(HA!0pz{R}4hC)3dH_e-U?8^^~a7wM(@lK40_u@-O}lb%-c-7BhUh-;npx z#*wn7IrCQ0`tgLUwi?58=B;P-q7xF9@M!=z}VV0j|4cAhtjYdp&20N zcdR8K@}RfeXAMzvCNIh8)D_W?E9BHyh+l#o{O^7}A`1#9&v^PMgj%KWM1dW5bKku_ zdiduNe+m8@hn}LSyi*ibZ6DG9cdt-2vc5BRA8ARBRKc3DyXuMlHOB_73O$}uP<>YX z$nMM}3dw5)ed;O7JoFkomUS~Ut8cogy^$n`pqIal$C-Fly{cihWW!w3Q*Y9fFTzir z3&cBgFHm*ljg@A(#8O+_zg5c+AcWWU-#@}X#H)X1K0um3)H4i>e`VCuJX5?Hat!Wz9vZ`Uk1~xmh&VYK=LY za*p#nx>^M%K}W|a40?#HcJ!=e?p5vWQqblwra_&~C<}8$B%Q)b-u-()=V?U@LElDl zPLw+)4vvp6Hp@>TA@V_XHeDWKRsas}bDL!G*g*9@b#iiYZS_w%q|(6uDutJI?V0YQ zj7K`nTCKo*a%As*91i8#Dz5%AIMvE#$;c@-ZIYDdXP|m=H;W&H7<6SA`;uz6?fp_Q ziNS8R4N4P&2u6xNJNY-N3=!4=aStgqxLIR{iSgoB)IS|mOr|dJTdApu1pyz-$Tw9l z0#6Vj3K)Kw_sfMwM*2XO0{ff>#it2LNfEtMur8Bd1(L@y8Q2DGob15lWMW+0(~q`4 zuT=PMSifa|YQ*d7kv_gO6}n1+{4K zdD{P%I`1&9Z?Wlw|LT_r2SACQWzzRgnliiB-rr;UvnA_w3dSH*SEru;xtVz}aJ&Bq z+g-9Y!pQQH^ps>ovX{@=lJUx)@R_uaG;LA+7lOn+7^4R;- z(VdURu%}^w1xNP$a_HA&Dra|r$(sy!KL`ThWF4ZGjZXx-9Fs@b?EFi&$X*i#zx=UO(P1klh}ktlruS0F4OP!>`DbeOOvt>;+Z=@n1aG zN_V0mY>AdEllKj`Y|4I1mDzxntvX1#q$idp|`o-1dc zHfDJbR*&2H?64>x=&gqpiw0lW-Z02H%k|_2l*cf2t|hDsO*ast!FNqf>m@#2lq&e5 zePrJMHsy7IqI_HEE1rilI`;RRe?BUB$uVy1D}@1+_q9%+wSAG}LWgO)A2V^Xa|LsN zVHMi|XqfCQZIolabZ)DtSBYVrU)*=CTF zL7Hr`U3kMaIXG28%3{DTCPp~lVygQLjuIjnB`{tEE%Zs8h~6bko8VumB*J7~ZX!j~ zkvS`F!qQQdLgE>5@R)+RpK?!C5z)2WT*EuGQ#{&G&ymF4MkGJd@QJM8cIaZ*~1meZ1Z z5mV)^)3NHO9*LLieFhn*VQ-a7 z=&v{jUDpMswQ$?>ge=>%BIKpzoJ;kYpGL*zYIFkd>5o-^8pF>M@=o6H-s#~pMfG_j zzJJ0xJ>$Hm$`=dQ?#XAyeSBG?B=qBb2s6_@g?*-fz650ccwxF=rC$CaTe3$$Uu9Rc z&Xm-oVR=T;52-&#ibn!6TyH0sJ(1g0JSHmOf6|8yGVf<#BYl;GEA46F7!*wCk zF-9$r17b+ni0PUi#i$c~f1B^KBP9EegLZH+P_57mrEvMayBg%_CbZNa&}rqAKz01& z5iD9nA%s(bl5zCbtAmgE75?K7}DooGKWoBe3zmz*jD7^Z9 z8dFw{kCGX@^)2>O`TC-6iWm|#xu-krG7(I$%6^k@>sAHO$+ojV zDX$GY*8qoJLk-8uv}1^Ic3GJx=0$(|woN7HKtwAp39@4TB6_}b`u2pU*^;7V-N$1a z#9s*}9MEC7ep?RfqI-Q^NFgiaj;iRuYLRgaS8${3_VU4umJ}r_-E{UEGT8YDW#q)fkc#|dS}m7?Ivo$IG>r_ zPYF0_^u1;BUU_~YJwsl92}P^u+-kG2JLnXC49D&}rd{ya?#Hp$>5f+(ySFUqayhp| zIxnpFuG}_vJMp!s&)BH=RfAH(zUa?KKNksnn9nM?(CU+3W8J;|)SUC5o|>UsG#4%X zCCD+87rInznEugL`W_gY|D`Nq9`%OKoQsa{f|cf!!t2@eWI4;aa6y7zn&0X3lPISubADQc(?hn_!Cx@bG|Dj!wk8XP&z;KI!aVM-8UC z2hA%#)JFVfX793yF6hG zkVJVn#X~yxhSi2XYYV>8*uoljr*tk;&UgKG>a!%$U*@x^M96*o&yRf)F9?J{C)eZIaxrK!zwX~+Svk!6u z1o?P7joZ0?(T;J)zt*`Qy_aZ426lXs4Nwk`Il@Q$>4SC8UY zG~IR+Tj5FLJcsjDpJ=xfzSnjZ@2$UklCBo0i~#9zOMCkaOf%9y$~FJp6qeUc>s2u( zCT%~hcy8N=+2TX~5(Htz@Y+#5GfT_u+qON{6dqezA!|E$I0g2mvI+|K`&hbpVPX># z7x!|`+037d1!)Vg{lT~xtQgn@`{2P~72ez1i?TJcs0q>yHqC&qzS7%MSeM=(P@;1H zvAijo_2L)0k??)H)O`=_`tpRbs%-rk^(;fa)f?Owl1+8C{Pu0X!oHrDnZM>w_b)Ad zm)G1X*8_HIgV(S80>}KW(-So@@J%>_e=mfNlI*WkL`J5gxjACJb|?wMUrvGzor=q1 z_&qkXuQB}@c^>t}_hd@>M^sf+{~BA#UJCwUiD)wXdI&rZ-@FZl)$+>9Zed|qaY?Y# z(SeGmfBt-g9~@d^)GQ&ALlVPy4x-)s5Nr!0sU8yEMz&>Lya3Sa-sxOc+^a+vR8(3D zEjduUTi(rQB^ZgeaPz+wGr2&6cF&|n@fpJ>^DP%|2#WvStF|y!FQWK;v z{ythXag5BA2H#@ytyPTMAx%+Et*Nz)$RHd8c4*4E#?dJi6iox3q0ZoGf5NA^^v zXhf*A->=mBT_qFIoHbW>%e7NgvEWfh!&oFqZ)iShd;Ik2=g*&A2)1}Y)W802mbfI% zSQ7kps9me?Q4YNtJ+excf~};0`#dd;(g(JVb>U18zd5rf5i-&ZXPJ$S`|%##)c1;rG#=76^DQWtyTyG(nJ3CnEHXHFmxu_I)RUqDjSVRj zBCH2J<@7I2(2bCJGcW&`%y@iy*EDav#h&PRx)wo(km~k!#ya(*N6E|d;20@aK4=tul6j~ofz%74zJ+M2$;gRnx^D?j_}@s%ZdGNpJ@f{^i)=;Oys!Af*> zrJ)kYk8hFwY0p|eLx#^j}|`5cjcVTG&D5a z++-59ka@|YbRcdZSrOc`jT;zoF;DW!u|Gy1gy)y*wYIdxEN$$3L^=c=u*1bkhU646 zF)_?LhPAmGg9u(4O-xjjALmv@ra%3M=$JOGdcYTTpt5M8`SzVV0c$>Thfv_W3m=kJ zN3THECPYjNT-Eg6lU2E1O_NX(717=O+*3(zoI=XmXs(5|>(iOY%Eip%WACsEaoWH)hrp2_vb?;|H+DLYqd!B@O7MH}; zXy2rtTw#Q!J`|wA(PJR9D;zpZM`jAC&EH*FoB9px+Kvvl4{2uro#9lQ^wvVVuvO`R z&#rAZfuuvJ4k~;51Wywk1;q`}zH_h03|JqI)}U+I4jX)&5_nZ8_3^0J3TY1^bBG23 zU5)XQqk>?~XQ42B?g|SPOA8CoIZ8@Pc_k`>kC6Fu>U%zgL!Sl)~ zx`050X-Z&<0g6Xsl0qrMa&QFk@c0{am`*3RoX?fBct`i^B-7@99S4`j@^b@@NE{y$ zo8HVE@QwOCE19KyAayyjSh3Y<9__N2qF;v(_m%|={G{?TU(@oxw<=s!yPRFPc6;Tw zLyU*~PVKlYe{P+O-*!tR(WCo;PnO7Q;nVjSzKCqE7T)AdMJhXWeD;EVl{B_vu$;U+ z^R{g^1^O0?8_8(~*8SWb5#a0SHlqBoN)a(dPr3yUk5EKZ{8SQ32OJSYM#U&V!*L+~ zb;l{XY8U@UkA~5VzbY$35X}4c@8@5}YwGCi-nLoOjD9EYtC|3=V6mYuU&vmZ)zP7# zJ%_M&Hn!by4e+3?7Zpf?pzEK*v>{JeeKp)V`@wj{WByKk@hwxQeqo$%s9w)#=-of~ zZcO#}*!JGZsn6^(nly9H$r8tRC28jNW*fY2T(CcD^P4Z{&cq!q4Wd*DEGW1PG+TXK zg@=CKxsiqKzqXYmFOD*pInuRocVLmYx$zzigBdESTHw9t8nUuZW@^K1HT%W&;?mMc zcKMFFx@YJ5`?)FoO)6T#cJA8)3t^6<&ooh0f~^I1DuPvTn?#vk_5RmM2ITcjtZ&7K zkeS!_iso(YzP=5yEEOoe>LQx(b1r_mugdS#`T3Vm9$)?a(jnq=`i*)cK@Emr0hL&d z#1*~JiwWvqSC8{hbqXmFxppj}&cn4is`40-?K}A2pN5#Y5)WhL7ZVeM50Q4}5g!AT z8OHGN($b32&+M=*fapz7P*6rjX4fuNF1p#N{^WyQ8g$CmIe1IX&QT3t5!nZ_*y~Lv z1@`Uh?(ZiCR$sJ|DE{lqgtpz`Km0SGB(7GxbG&E;#-*a>&@0cL} zg){inKR)gsqI8q$Q|K`BicOc`?wRrgmh%;J^PU6a<2UaJN=x5K@X@}t zoBJ-q=D?lufDkrAfO#(rA z@%A#3i8U5^A%h|U2`6Z*CA;m-O)UlvNNaZSYkNsf?1 z?F$WJV{n0`y&S`z*vVzwN%}}gUEsvMTbhb)gOLug-N})sl4{F~t3P{HQG_NYO%^!n zt(G>K8u!xqbk7SEsOhfCeKmcPHCta)5+`u;+An!I*hf)r2Yd|&o4~T56T`-47$a>C z^lv&S1q?LU0e(6~3rQOf!ko40^XKVI8LQxh-Rkk}Bt2z%{{8xKFYMrec&pik>9)^* ze=9wBu|T9Kl%DAcsmr}Et$W>Uc!xjnOp{Z=$QElmDZ|XGZ@NFx=-Bl+70SH%cuzJl z^MC$FtO*!!K$b=wSXEI`fh0dz@2#pc;e<;=?|sM@k_i(J4-aq?E*8iP*gFKJ?{$nd>vm|Lbw6Bp&8kJTzV&-K29= zd_E_0kJX6a@Fne&)8Wi&z04yK?%C}>>o_Q`|LSymyYjqpHR-m%HL{4vGZAN!*%a11 zu6xfm6eVi)jCcfNw!}3yV5M;s0a}C)Q9jDWokQQgy|qf-k~jb{yZ2;Q4yf49S_%}N z?*NR`+c?iyh27n)F6YyRmu*GEzCXXHNH_hXm4(IZL}w)N{89hIFVRcdJnu5nm{J|f zwV$+V67K*9xy$g=V}r{o|N5>(BH!fy#h3lh^-z~xSjd5nK34#dPeAoSv;3`mM?X_c zL*tY)*b7d8*vNeaYr#V|I$v(4-nC&HD^Iz%F$aAn~Z9;2+ zlfJo2b>}Y4q0`8gg*QD%)b^69vzou&w)UL2fNi0efBcRGInuFv_wL~iNg*~{M`Po^ zZ?^yVDF3++|NhaZiyNBV;BUG}Pl_$($5QnAwKrgjp82see^)edd|YQe8+$+{J}`q20xtLL?C@p}3J3th1t$wc7Piu?1^Stq!Wf#By?Uj>(}vp)R7mRwd;Whu zlE*y^f#l@mDmaSn;G~jcyp^0h_3fLi_wqcFG^|9g8@&CGqbR%yH_B6uyM%@=OB_Ru zt!Tb*xZPiwG`Ui>5c0NP~FXK$oKia%>aj^bbq}!ZF?q{X)<${KV z>3e+1WzWR;OOG|qTg)d;(P-PhYFu!$*ZBDO_}V!uSNiiY2jLzJ<-LGw+Vki5sr&6n zKor86CO}6i;fy97@C7%A$s$JPl$uEIDu#USEfW>x1h7@t{{jsE+nCO_aTG zhSGJ0k_G%|4J(jCqMn*uPQ0ESGCFFbY3Atw@-aAGHi-bG`t6{N!BAb7OoHT0q!vrO z<(z~!csO0`B9;bs>MZQ(eRmMfGMMd@1V$NVo}>h-Nnt#N?tF*eU()%xY2Itr{eNyejlHE}{o*3yf$pylj5)rK``CEJuKByXu>$O} z+W&PaHjmf#%NNb^@M* zK??3^j0|Mq+GF3nCr5WDBV!&C=t2B3-ObI-O(_LaMqlsNgK~22Xs+Nral|77aRDT6 z;zcgugn@|UP;hiq)EPrVPsCX)t0-Wu1)7@=Ruag?<0$m`&OCijwPfJQ${wmoHk+axN+83i_qs>+ZeBKd3;;Kc}&HjEcLA&efs?Q zIQBK#-7e`cMT7)QDw)qVMi{uc$uJJ(d#0+pcXB(q@m^6C&24pY82V=ifwo-QR)64r42SuB0s< z9!uz){<@%H0)qS-8HL+v9-J=@r$C2%bW{plV5zG=*_G%@PRP^>#_By7Ge5`bN?PI$Gci#!S z-E({SchS0SJy3R@zGxs(X*eP_NW510j?)v@9YtP=^~1x%&X;_~QsW@3JKYU>TRYs; zQTmdnx762H3BTLZm7ytY1hE5b3MKBx$GhV^>FUze2vvTF?+UOg`IR!?u3e*G)K1Rv z=@K!)DJuHaSumF+rp4$%$dqOoh+Bw&ideXB*THdLYR?`ub@hqy z@ed`mU%!0)iePV|M}#40U0od}uLj{T;OIxoTzQvkQ=lLiziFA7TF*3bWuVZ3wcpn2 zM$RF@Pn8`VOx6^M^j!)P{#^PnhcH4{%)xQ-V9RCt`!&1j8REM3f9vkw*RuM0LEMn zAA{)?6G0ClRcHYbtC4f2V-lW|cro_(=;`Q)&-Q!MPL2%fgq7uGgv~d+IWr7v>DRdy zFsZj^9bhq&l{7`9eBBis4qcYZO!#zQ60wJ|?ga_sFlL5No_zY(%y0}@n?X~eSa{do z9iw}-U0ht8OqjApC};1w3WM+oV;+Jd2l^-U=- z9j7EBVsrEI<`iuY>F$IsPvg$Dt=dVfaucO~dF6JC4X38_nqqJiuU36Zd@Ij>RgdaP zWTrZmk(1}Zq~jLWD;M2HWFI}ecm6}0%JdpsFZ-Yrz-;f!CJ>XXqC*#EzCoyXJx)%< zs3c$1vJUB`X)lf`AI|Yv^CrIAFH&k>4#*6vp0uqZaQWnk6PI0F3;=S%;~P1Pl2Bbu zYg*P}f54F#toNW0;!}0!-O%!fyE`-#XE|I;F|!!kpB;mmB86Xy?Wh1B-)P6cAz|0w zlX|OLc)}o_@1nk|5sNY3>Vo+uc?eE4)T+AjFEC2=9n#}r3e8!92;>-5{70#d$0Ao{ z=mdvbxewP4uu7VdtxqXjnQ<~5?n%0R`%PcmQM!PGeSLj^2!d58wy;)*@2FBGMyWU# zgU>f(KKtd;Rd97NwJN!Gda$1M@b=e9mk8kGZftT>19OqII&ne&C@%w=y%ae{fw?yxw#@ZvoI% ze69t;+c32HH9K3KuOaXmjyH%IhmZ#ETw;UMZ_vdoph;@ia=&^tQ!nocD1+^g<>9nH z4-Gs>s4;R&4-61Xb`omrhjtg|_wHl?p|gSs=rD23J{8q?nJR)&FBpJ>7RHPD_RRH|!rNIZhpjBWCylG28BR~MHzDW4H}ZslB3{R7V7 zCYNV_BQaT95u65;V(HeLB%~6*;N*m|(7t0Qmt|d^-08+vxuRS?teV#6O$!n3nyp56tV6|C3Mwwd#X zbl_St*c$dVqP^V7X8y_jA-V6lE^n+UI-e+Z4_4F={Ny;&Nglps^ZqHF zwb#QRPHh>Vqh92UeH}0Lj2bfr(B)BYZg2Z(j?L_fgu z!!Vfr*v8*YtvDlqj6BoakJAWO>agzDFJIC$pA(!Wht1b&H&mW~AQ@X#_EcCsn<|5J zBg!_m99}tJl&f80-Vun!>F6WAyp-=KbGgv!GddR9e|d|QF!L3{c>08@s_!YQkjxh^ z#Q6)WXQ-+!z)@&-|1bc*Bl87Qv`f4jnq=>gww4{d(0v z1Nj&$D=YMo5iF8bKtBy`a8VwbsONrXgH-2k zq&8m>-e;otJ#ZkK<=yvR= z8wZu-u1HW+TpY#iY*Fv0vnVJk#$mj*M$;vxQB%@I-NBGTUA~lNkq~rTZfiDO=;@Fz z!8+*(f}44}*`s<&ZmUqENjqpoW7`vgURDc_o))-W$+Ao~%0xkT3=F&+nGq01_EW$A z0x|URl|jYL=6>tw@ij_dj+~sF=CD_?MB)TahD$SKrrZOHoNH^r6OdEUdH%-qij6xU z=fBp25CGwbhzO9NVKu0xq0!jX1X_zlTnx@Dx)4}hPz6@e^B(15NqrelM^*_>UKo5z z`1tr(WHve?HL2nPU}HiWbuiOXN!P$&SXlyj#-~o5T7JL{#t|yQU^*sI{m0trSSm&O z4HRu#XN-RT{yn?z`uQVBFg_%q%`teVyy@aE!NT_Pi^5W`D~%g}r_1e=Gygj3D@}X% zvjMf?Jxl(rj#)EX?s}w6g+UuJpOE4zbUYBWZSXh|ihbpV8QM{Mb?|O=$X*aZ%@!RdZ>VX2ZQ5 zERMUOZ-;sANxybuZEdFJAe0iS4~q%=*eWxaK(yfA^78V!efu{0fx$u4^9+oP$K_S& zl+*vY;V6fEX1{;Ff@eqX1!xEsQJAK@dv?gdA@gv`^vn!)Cb*?Ldrtw&w{Cr)&c7Octj-c)*j z+wP+QUruei)PI!f&WU-GtoGaAx9&<7a}o~Up}><-ZCn3s&3atNA?EdV@l)HJ#i=iB z@-qp$(m3#C-$p6z@EOW4!cyH=Y#NyVjXAej@6b+Pn?*b#+Rq=qnhq zH*6%obu*cZQZ8KSIyu$@`Wg^n@}`F23rbE-P9!5#R{Fh8Q=xlBLSs=)z78xsN7|B@ z*hSc9NS9DaRl~Jb;=C~D@bt3JQ2molT)vo-)BT4(Civ+gJudLPBtNer2Ky z=q9q{)h*tK#4&I6%XGhO<&^5I(blyq^>LZ8Yo$Nfqr>P%sBrF5{u;u5 zseXyeMD^C+<@x`x_U3Ut=iUGRJ3?d4UP(2U(1bQgT4YHodx%hJAxn{@(q?CrByF?| zm4=Xnq?MEs8a0+gi%LQ&qDAt(zst<$^SM6P_w$|4@AkX?xNdXJMLl27=XsvRd(OeW>HEM`))iC3e zYGcm4{l4aV>-Ut7BSG0`-^e{Z)Hxc@NgUB+$gpubVIs8`*mKKma{DExJ6{M6Ua?@o zQNx%$y1WNH&(QGWmoFd6GQ5OD2@XQMPFQp9%mp4=IymSO6)2&TwINtwGz?LFrixlVvKaEU ztxaXyJUzYLvqzCOz785Vd!f}5n|b@1TSolSYxPRa83FG{4g9undAA&+>hF6F-8-{YtA5?K#>8Zwi}xKS zwps8&dQ~A)M})19_8TI0L(1bqV$wHVwa5`Cz8ih3HK=#F)I%>sl0;2GBjso3$1%yP zW?%mCA;2osMzoqCi+!C_Y!s}mt&MEIK|4yct9uOoV3xgb}`PUt}ggb&zx6 z1~o1MvMW-6+*dq`MnP42GP$#GP!8 z%N@ET?1UBCnpo7M*oCs-oZU0zAjdPRU%$SR6tcl7a`Jpg#y)+3{!&vm4iO3%B4&l8 z-+B6U>My?>(N;29wTeMEef;$5Co}J%$2ccUUR6im2`Y}UQiqKW$=r>;cl?WFoy?!Q ztE?6s5PiM%$WOQ1X~O+V!EfQ|MVEiyf&8j#^Dl8Ljm8{jdnl>BTz2qm^NGs^&O%_$ zQHwTS_$waW9)k+SM^-n&WBfQ()x^})FdHY@%T6z%Tkvr9E0V$i(i+DihRPkP@g;L5 zF{ZwV3?pkIGaGVpaty~DugE%BH23IFw_jztx)(;z(@5T=b`mv8Seq~(pE&wZ#Ba>| zx!?Vw@SqzRJGa9>ua)2itEN_gKs_HosD~axZ#Q~?m!U;^sdC5brq?|Z0 zq+_ByLQ15Jzu!4CF90>fv~9m|i%W1Dwr$5z4n2RqN<%czF!02Qs=7K~w-F;oT!O6) z%H-i0;S&>iBlo(YI(pG<&zrTK)pwe&wpec3l)qr3!3y~8+)mc<^}fVJ)idchsxJ|P zjs*q|m6rAy92Oov5+^G5cakl3#tf)3;7SS~@8;q%d(NB*Lw<$NVhO(bOV_O7?hhF` z(svGQ*$A}_;?=uF8?`K~toAm3c=zs9r)IOiL#F8Z_xttv$Z9^^@(WesyV=fG|&t=Porl_O2Lw<4BM{-u#9CvGck&sga28Hv7`p$YWNStwvFg$ckap5CSr}pzxC&vN{Ts zU9mr;$KIa();V0B?HCdnS&)821VYzp-8y>ss3+3TFy3g)p|yT2mXL)dBQN~aorvg| z?B3qeDC~kBy+`i8MA!u`NAWM`l#gxmj4hh_DEzN&TqV>Eqx?FvDAYKo^R%^pMS#c; z7O!NgDizEdZ(tCU+MMA!TCZuj(oIGrjt?}1##jEbOko*;5e2M)K`!c5Zd)?JHRKnZ zHd<`17`)4wGq7_g6UrH<(9%apJSD^Badx zdVcqAug^`lC~(|lZs?DF9F31>t=HD{(}ekYO5AR`7V3ef&^3Jo#*h5{sv>1q9Kur6Gao_mrtMeuD3NWxl?xM&TQf9HbpBEf7*lcmzJ`eLHVsR20+u}^lQ$Y4vX)mcK zoQm8vQcI*kMq~YMKJwlq<{!EJid5$2jT@QcVq;?y$3573-4My;r%%Gm+q$0rA9Zcl z)|&Rr9l^0`khTpNz>`Xs>1}-bc4KrfXrR`HHzrI>PLO=Pu7%QJoaaS-@!1Ziy}oxa z!FSAhz2GQwi>(GgRH^FnGih27x5fKl_r^+Qh3UY&2P z^5Ob4U>HM5)~;TCzh6X+OxS5CZk|6T6gn>Kd=TP|J|)UEt5=iR4eh;u2{UXLqc95z zdGq0e4jM+oc6NT{-#hOrSHJ_O7noQ}g%o(Ya%Jf9gN89og`m{+rKu@QW80{-``&VH zvIx^q*DES23Zv^y6Q1~%k@@iYwfcrXos1LXwo8 z_^_iSM^u~eShUxZTt#(;Fp@tQEmK7qwGGEEUYz*!gq+wXL6$SdME#jvdlFxreBw z2?8umphq{6oi$-{ht$On^SIkakQeJdT3eQ(`)XcT1R(D3=dt8-ozi+cyKNfAZTRr?fLWjEm=y8!xC^LbGq#oW?RA_ z_T*==+sAMHE<0tT2_io?H#g!(&MrdX%$a*k6hD@m`jR{bq^3?!F*}g}kp@r!hJuC8g+^ z)$JQ{Vz4!M#dQfGDP9Z2XZImr#lg>*A(-kIVMQ3Y{b7@>t*wxU>&$2*3G&Bj0RF$ocrF6mvK8Xu<=pCx ze~xbpQ`a-ql&D7}Yhj+v6W0>2CF&V#&p;NE-k7Fjs_@|8gDVfup1F!sQ~W!J*P4u576K2Pnw*>*x#75Ru{3MD zUO=0HnsxsuC8b4U2KiDw#5FqgIw_|(+{YZxjj6-=qq4!mcxLQpzmtIHqJEqADD{Fd z89k)8FhD#=MI%nc5~9w051V1+1?2^+IJF_pAAOG=Wpuj+%-Kz244jo9GB5vvlWZI? z3|^9Op)Xz_*^+cuSNCH$N-+{m2KfU094o7);fAoskZ|u~O`UHs@AH?S++(5u7iw*O zo(9mo+}z9w!mVH3hn&!ejIzt6&MxvjNHXC|6@wm|d6OMq;==&n5TJxTc7VVToKFx? z-C91w?XifS=_qa)ei7j=SZjwSjdEGHZ_68pl)rgnP^i4;jUIA_AfC7@x?~tb?3bM8 zI7VB4p+ukd$^B3&EtW14rz4|!(4Fl+4GR17PZMj+bqP1H-65?4wu0AOef4=eRlfit zNKc{3mEdVNXV~jDshKDQ77B^XUbj{b?ViY- zw9#_>n<#>mx&pFP z!|&izcIdtKST5G!zoA_Ln_xCTvyd*T285pWpDI zLxtZtPeMqHkFr*gTrgEmN$FT;H&(>ZJ9WZ70K*vc3SjMqONZVL?L7w|4VQrkL_w;v1G7QyE;9{wn9QoF=L#GmSiyjOk^YZ4B3S6C2*r6)hD8s6Erk67lbH@ zR8E~dIli;Oz{-hC42RH7OIFhe(Jbuas9i+#ggkK z!!~h62Y&9f;n_8MH*|O@ngmBU9Vp^B`c4dH_Gjh?M_WWtQKt#w$4VE#vncu-up-D{ zE;_w({_1<_WhUz5=&2^+<=u`58}!H%gv?IAeh+eU7sWl6c!*y{w!$eensw|&2|XuO zytiX=>gCJF!p$IwYEKw~SS1GD@#L5^^5p^{PP-Z_=anzuX6*e#d&-o+m_kB4>^Kg< zAf|TNZxjR!|MGl#PEu6`TpJ0v^g*`K5Ad_^>%QSIV3Xk70RyA_H_(nCWb>xVitlT+ zA~|~XO4!)OgPbM`%3;)&Xn^O+ALu{w*PjcnjTXDzL|_263o-j_pScK@g$zNya6is$ zg1S8Haqeez^O1hm~nK$p+bKh&`I3mx7>2v4h3iUso}Q(VcCCiFne5_u}ioR z`2}Hz+CyIkpiqPqr0LUj2MCv$>&NSau_WAXkCGR$gvU4~NJ{#yRSybHzth!MAxs~Q z{h%dg$O+pC4bGrPWR+v)XYKboVPqk-w$qK?nN+Azyoxr_G_3G722;65ozXLU zFycIvT1w2@ho{Lz)%+hd|O#Lc=+(UrRHaroI_m{A74+}xrI4C`rs}f zY9<7RbB{On%|twjAbVS%PNU2M#*7;?rrZRH(iC`^AFE~E{su!NBtoFYoRp2?gffCd zhZqGAwQ$)W(MI>bFtph1t3oQ8I7j*8=1u)MbHJE%-!AVoXIul}63Jeuu{t~~D4*HH z!9t;0;w=h%xI3or@M+P}v*U^mR@c<*a&`5U(LNdBI#z6H5#x~Fym`Ze=fob~R#27q zSOL7IJuEl-S&|{)4KvT`G}MdATgx+%=TQ3|{T<0$t`}Y#m$PrCCAm`V*gc|pT1kK3 zq&GUi8MIE51|1ew{wph2{(9-rhG%QuGPbs=Ze4;4B{c*gC*lV0Te;f3?DuYvN%b|cdgV;LKFXbHx>{ZyMFWL&6F5cHSa%46@a4l=|vhKS>Z*<$>CEF zMrQTfy8yr@Q8?i^d+4G-;!C8}*eSO;z+gkLqTr-7|w|Qx5zB9r9xB{NA;Tghd(?Zj=@%NU3 zuV3P3kK)oyoH%jLI@G8Dbj+>icRL4%h4rt=Tg(5F1c+Krk_#O!CQ4?5AL){(uNsMO zCxgJFapQTh=6Yfx-KJt^Vi~otzF-Ib0hX-qGj_4BB^^FO6fVq56*N}Z+Spj$c>L#| z7EO;#M{{P+&rq@?Ola7E==+XP_vuW7oX~w6ObWhx=gx`X;H+imO%(Re94H~7vF+7t zH&bB{82eWOBzOM^{Q%5r!{9YZB1mfB)-PNzhCzJ%mYais>CYqC>wsUZV#)c1;;)hW zK47>tT2P^!V}Y^-@dv6KzeKcG`dx?wFij}O-f^hdpQV|;@NKu z7p^=nG`L;IG8u?$GG-720Fn0ALM|*_lXo7|fopn?K(oNYI+I(A3Zt?O7PK?v{AwAr^nwn$5a47F!-33mPVPMS~CimKQ~@mJ{R9=U~tG-{*=bH zGqAQV)8r3D2>Z^-`m%mEUbrxxq*;zzcGTDRb3?;#)5}<7&wf%vcz57u#>x}mVR07D z^5NQ8a9r7U?#K;Vst^bW?Ce>MSOG+%IebDu9^ch6dkS^w@#CTL_6v(BdRP1Wy^BX~ z-Me=lcs%PsUw^|GXcw%9Km7ja$tCB=yL^0o(d4r#4tJ)JJyQIeKQebx8eu_Y*|G#Z z?BXrSF__kEh!5``EjWVcg>!yy5_0O)bjtm19#c7P5jxHdV{RA!Ob)i7AKtG(?whoZ z`we4xqlF9SKD+REBW9vpS6QhFj*Pz43D{rR{p}$y8$9#abj}3rDtzgRB}>jc<{61o z+%$l{gv6m3sMlA*TT=pE4$sF<~xrc)m0}EB1u^9K*O;IBp!Ne zGr}<- zi6RfzT`9ivKlWngy}q7s<;vT#j11DOU)#PXHb<_xxViY{_is`c6#d7j9O^r&m%pC% zv0S-5GY(zwJ~P>G)9UNrzicR}Z;hD$KyznGrB2P}x;2^2pDYGEG)Y6?D z9Y40WZ+0qh(VFCuNcY9FwFZN?NAPC?_`{6@?!VuvL92!DoS=^mN`L5+gxyr&84wPdl{(XkTKkS@;})VufZi>RZr}_^;_zL z6H`xNB_DHC1M;M0WS~CP)YUs`%l3E<_$NCkT*DGen>>fu|J}0xhx6&!$^@#@i#Cwl z;9%drz4t78b}Fq~BS+5jU@EXgU$?Zi(@Yaj`h4$kPu+tI_~_C87dvMBqr=cnD$!O`8{?qhRUBK@*r+V!`|!bo)^DELZ>Il?wf$dh zd(6<~LG8}}l=8FEl*-+RWDu z*0aCu|L-@_=cPS?Dl{ZSLrcq@*>3UQ+v0WGD+YXT{@zgrpKv5Qy)m&N(x@Q*zu#G} zA*UWZDJt5&ZQEjnz>lr%uV33*Sw*FPN%~*j{qOM06OwzJ$hUEgjf#=|C+GQgYQRrh z$#w4U<`C=a>-+5A(|7O3EQDIA)hB|}^AjC9eEzAgIcI8PbNG)%vQ;KhU7l9xMLS*Y zzx;z&Qd?Ua_>TBWvdeg|O1)`;&1;NbHMVfAKY!k#IP8;Knsdq;ue;Bi6pPf)3mvj% zyQeVS04-;9yvyh)_}*UN_3f$G%hFQe_>KVsQeJ-8*xsXIdSRk*$?rn zEoaZZc)rTa?DPJN`TybF|6W&Pl1)%3DE9a*U4H}j=E-lorqBQJ6aI4Wzo_Pq(2svQ zT}|yO@pSw4(NU4c-tZ$&pFW+duWv1J;q7$8fBifDs%9H(ei8@-4c)nH7D_kB>QYj6 zIXi!8Y1!cZ1sxE}Mj}dW5jw(le6>NJ_7HByoI{O-u~X@$buT1K{3k&Ezv#)<>Kk()6&ZQV};_d zfV}9`b0?C5`X8J%pqs#b1+U=>1eq(W6N}w-%xRf`48eUs@-ejw2cEq8p=~0i&tXR% zJbZ|Fw(XneyZUf}yHjB{90npjCSpW)H(ak6Xvo92a3eWwgE}3->&;4uB(rvmm>rB_-`PZd^Bf@Ndsw z*zZIXK6?}=kuy3DlVX8XJ-Y4omJuy4p^%Lt_8mok7OorXQT~*e%d)WfFA{J^LGO%M+N)gD=c-A87}z$i7u&8a z$+K1gd$3e;jawGS));%g^`9i~(a_ZNr_1km`CfYLVK3LOA7_-}?VzTkZh2D<1>2{4UIN{LU0Y>-%Qo?` zaBk`6{aHdCsf(7q`!4y1d}FD zhV1xc*Sn!PZ=$jNLLh#%I$7ZrWtl zDb7;69>?V*9i-U9k$4yi%44m%T$$Ok(j87tiW4Vh!@_8F2tAqkq8Fv5Fbm*83ik-X zoRvk=N7uR$LJL2WY_J@Kz+atiassurcD38IPWEp3dh*n%0sZ@P$)hWCzr`gcE;Sbj z+{b?$HhR$E+}XnVi=W@7p#mM0cVh#VNZwnpaG}jnh0!JN-o>>mMy=)>Qbqo(6bN*O zc5PQ#9Dp<}jcF%bL>dU&KYyMQS+Js1)){LVaU}co>(|^AR#1FnXv^C7&bx58=(RdJ z(i@!=YIhb^a_4vMOnUmRy529dY>=4f^`xYj{1f@rE?T9JA7=;Y3K}YM-)zwu_o}Js zMBN|}_eI=mejo8#KBjmxFV@5q*-1XZ@$g}xQQf>_E?*JF##-#d7ObbQmkJzg8VTjM zZywca&Y9fAlRbZa5(}lR)878Iszdp%bBuyKn1#V-G~GaodgTh*nP(ZIEoRY`a4!-A zoM7*uWd9s45Xe#lf53}BJ{7b-eC#-@PPw8FLv{;o+f>ik1!bHxMPQn zR_J2+GdL?qOyZcExFGX<*LvFJsP;fskX1ul6Jt2*j|)6Oczq9MecZTyeXR7^3_FX=SUk})?k8$m#HZ~%U8(+nr@c#e%Mcv@1Dl92Fo+I!S3CJOVYKCk0LJToF6 z_GrItn@G`1e$ZiZh5YI&^*d9`MKZ4(IB%N*O{E~?SP6bDxygUYxvST%W%tw-Sm=HH zQt|QQlAO0D3S(6zIkmCSd$2In^8f;Y`8JX%RR?j0jg8wn?uiIwe>l&``}RqIK^zj1 z%~a7D{-deML~)o=%o3f*h4KM8ljKo_?4IF0S-xAw?yQP8@87>DE>2EOy>FXH48)ld z1D%|%UcC6A+Oc+9=5X7@;;IGouT9!1JJ44jZMCUK55be4KZVA`jIAsx-l}n7nc%WS z%1aqBh@hTCpQ;DJ#)?cmA`~bN8zCj-nDX+zl1Ta9b)8<+VrY&|0vCdQP=*LrHacmp zQ5^P5eM-n`b92NB->+0rz(80+&8ogTET`=rXX=%sDkE0y=!4A4dLcV>?X$m2?Y)8SI^B|80k zc@91GKt6mEwdgl*#s}m{yfkzRZ8~S6WN@$>XrOvhzysTuO?N7{B|p`W?k@y00WN8! z_&v!`b8~a_i{OQzN6(&7^HeA@kUVRB8J!&g*UZdJCDb}bMd04Q%U4~K)a~inA;f{tfm~HJi1kp{bAfYmz~ylnJtkEn%^*Q$H|rqK@c5!^MkzR4 zunxIrn~1K2sm)4n8eN(+1etfcwyE4|t7bSRNKZJ}oM!Mq!)2vIkIZRZslYiQJOER= z%Zjx)7uwve*oxW378RcU*y^q&6I}XdNy#Sej$HXWJXGP7h{(to^V~JI8#fvf0NaI3 z04_j9uB^1QXE%|H-7*WF@bbN?>R?}eUk}4yv(Kc4u3EkNeQoWw51hI^HX;?JM)t+-xF;)7=4Nt(YZA9n(3KTax3B{;f@I; zB!M!$+?5Nb;JXu!DTgocJ9@OuT}OC?QA8Kyxst!yoYz%RIRhef^{G$mJ753_WBwmw zx|^t<^1aJ1KE>T>AKFcz^Gg@Tk_~Ls@Z*#SOB>Wq8q04_Uft={$sN$F5sxuRp(r)} zX~otz@ggmo2+eZh5(t;G*9j@2K!hy5O`~gVz;GGIUiHBTg327dl-1SE*RB;7Sf2s{ z(00Zff3%U-(bBRW!2b^RnVECe5B!p|Vztkdv7i`moX=uGL-G%Q)mNCy^yhFklw%R{34ffI*=j&aHdJ!twgol66e&3 zS@D>mj7NI+E+Ff@b4o{l@9!7Sp0(YuVZ)9cQ$mfUwBK}ecw)=z)-luiXia6gk=>Rp zzWPzXP|e%;>$!6erV9kW9|gDFy*pQO$Kb=FBVt96*-ToYB(ZwsN`Be?nR>5x6Eew; zVO4Dpw2u`Lq)Yu+SlCN@w*FLPWLZhcbZzaljEt!|a+8DeY4Tyo;6Mb8sCR0e-qs6R z$~bJ+LcZcz-0F%wxVV^V_J3#8u%qQ$2d*h&{{&cy@_+A(;00^C^qEmP8$w#^}u3(GAV#uTI+dqM-IJ3@dng=d_Nz)xa zF3?b@M1Al8I1I(*cQ@(^!&qt3Rqc<6Jcwdv0)$ljCGl+V8nat$230AGAw>Tuo|z%n~dO3{wgsA(I|4BEYI8RlG&D|G}uFq@4`s z06hnPGm4gFrYv!|RxdO5^=CIKc!jlBw>=Gsh_JO8DsVR^oCs5HB~t9@WrE-3Lo4wz z^z%wo`nkBcJOkW@h4Dc8AA1D?^B?J7e164N+D%|;9PI5Q!omnG#`0(gXcbXErLCjG zW$50$JEsTcYMU-7{knj4BdOAoSr}W?>CX5@f;xBh(}d|d+Ob8`rcdAHdh}%vEuHEV8N{I+Y_Ba!Fg1IY8AQHTxtMTZ0tc+^kU}eKX^Mt?JL5u)YSLQUqAN{ zWIDY1)M~B&bLDws1&DQGbJ;2566;Y(H*dDVCa3OaCkUwYylhK(NyHI&?fJ2u-cWX( zpk9605l}V8(CN6alJ*)lktt#z2@enL$nfsYDa>l(fS4twqpNGQ&=ohBoV?Q1^qA+J zwf$QzL|5)Gi0Ppq*98fsWbf=ggqZqG~V0ytsfp{szPSc#oo8CRz6qNPjWvIh4*INCqAwbfPV+j$I)G8y5Ct50VJ`Ab`$ z%oR3?#dK=n?{UDwO2#SjJs}S=9V>Ki9T2%pNy0}zira#AY@KpCp(SHJtO`V7YgS#| z#FQB#Eg!6pg+@dKB`M$+>g#KNVHa@X+~(9}B7*i=T|lN`{^t5st5&_Pf%-AklF7)( z;4`ate*Dzs-f_TIR-?UwZm*En&aQUk+EJG{yX4%GbJk4*Yp2tRtaVvBatYD-g%t5G zW(iggX>q-zjzp_`L~gq)UDo=GC5>jCK88gJGpdjJYkLOa;b)$<@KMFbliE=9zh5j6 zlpX3iKF=xfPfO5*XlibJzfM>JQ&gs-BhT8=%d4zK^kscB4ATg|IhiY%z@?<6m70?B zwV`2=3r;jCIeD6rl3e(qjEYwQL{CFr4EEB$ud$CF2?KS&suN)uEVMnHgF95~V z%k4!E8*=ibCe*mAt8!_g`Io1kS`S3E3F;x+)D2uxfx5-xsSwPW(f z4$)&K3fHI%ll@Vidj9-g&5@QX?mA__HDEFcPE&uRi%6J9t%-uj8_-Rshh3fHbOV6b z!+^Xh{x4!pOA7F`vhhaW2ofkRF|=QqVd?pN3lxhZk7WDo&-hpm&c#c@4w`=lj`jR; ze!CE3e}%lIdEJ8H-w>(kh63!Uf-CxVzdYGge>~*x&&*L z)-PY=(<FC_^(38p#vND^jrD*7o+umJrn$5%e zk^tZAY=dRWt#RTD;W-&_4A3j`ad^0|M?xBU5wuwl6xu+wnItmL16?k^@&bU|EI6G>wz)%M1{+tuefnX#Y ze^3Z4g$C{NVdPZv=lkYY7n*n1nVwWK@d2|5Ti?D_2+l_d;G_xRq%~#A;}b~)M+V5)=>d5tk-S(WZ+e*+EapzhDIMa>PtNo&_ak}H3i z?C(W{ikVDN;L7?bI+}K+ckkZKS(K5K^z`}j^OFUFj@rn#@802QZ1!=Lt;|IP8NZVE zGFfc(YM)M|rGFehu|bU(knhq>@O#fLnAP$KY?oiX(aw(27nr=!rJZ^mbaK8;>(oF) z$&?Tp$$LTh*=MdO->QN30fooIf&#!feQ8i3mq6-I9zCiMCQ#+wH`?2?UjK?T+A(Bh z!BzQdW|)JcjBS(g@$#9DMZwc`^5==TNAZ)O6yZ&P-lS;t@MJR9L1P1f13d=|W(59l z_61d+-KJ}5B1gd4a|>x+OOOT5rzIyJ&Rz$HgtrHmEQk%r@UPg8XC!S?RaIqo3VU$U zKp^OowQKwL+3vnzojPX-$&Q|`(-j>e zZDg*|0Aw(x>cJitPtT+JQNqmn<*RQhg5Q1+N0|x`fp8m;QUCRBu(?9tTDEA#ig6AH$z`fuCiEQ{vt(YW%G{{MuBYyY^%gW(b#0XQwHq%# z%#aiBy&r!GE3@R>iN-0-901-7{{>)$WkrEkt0bLz?QYZWl zyZ-K7$+Krlr9*fN-F2zBuYUDJRfpc>XoEV5TY>2baQw!NQj(G@SFe6Sv$K3aAU?kp zct-mgAd~zdEiF7&p?vVCuipp^c;K84VTlI)3?&-ByHUMFWcOuN9Q(4_{plCty|Z(W zLvgp3Jyd}1+uDptO-?3AJq5`-;72(ps62Et-#li_DIJnOV)vr)Ri9d$UFfe97q)PSeNg2!3W>3M~o8CpWh&pJIH;@m=Ubk54 zJN!H%bW)aCv-Xlrixx&;Y%ybvR3BD5s(9!BaWP&bb9lL9GKK*w?z0=Lv8sn4z&MEY zre>`%Go#y1#pYhkCt@AlkH2nSLVR5LBR*zbE~&$uaqbmcH7F6jctIV{T*oHk#tlLt zkh1t@r$KqXKO1z?8q9trnWZ0n_G}y{Wo)rI;56U%jh`yf zmr9BLD1VSEe~1Hf^*Zp4l#$gjX_~75k{;n#S+q6fC7Ve8iMQ6@>*eZtSU(Df21Tc~ z!!%OuPYB1T&pDNiJRh&Ku}8y7iZv2u19P|DT{=;ayBfDRtuxv=X-?d`_x>Sk_hZc$ zp+YZA5D}R6`>~vvFh&(yg*|^wO;B5CgYKnZ!yE)025tftuw&K1g`-Ji79OB>P$<+u z!g7urxy8X@{r5qps{vPPQV(ns3!MfZhMSpuwXKnln`v)q2q@|}LCAS-z89e6G zC$1MFl*&AB6%}ihP_7Qkj~E~(xUBdi{Di@H+^wY6OSOsuKJ4Kx7nfYy#F*w@)i27* z;8qwhE-Y85tKai?KX%xUTXroe30W0^jUVZlyt#e9rgVQU!Ih)Em%skh3Lo7SoK!-E zFgv?ji?#f?alY3cs!V=7$UAwB`}rzu|Get zKbR_X;-d{sxN|}?!D(FrBL!a3HL+{g^hldmQJ5TjQDL<2xNAnECkGn-T}{hao^^$y zwT85(yZZ_KuOKSjuA;Bb4Gb(LWx8b9kD{D+{Os2ioQ}%4;854()j=Y9uipaa*d{hu ztDm^Q!eiK~l`2++-#f(qt;*tujO{;!4htWkXG>jM&oF*26XI_6TQi(&HhZ0NaDF%) z@ANYD?@xkF`Qmw<^Zfg+ojSMrxvLzgt04@-1yXY$Cmzxp`Nem@JY}DEcu9l8=+Eh!hZ{LnH3(M7Y9U(o|N>hkp5U5|147N@^|8@QoUUiY`ouJa#M z6PGOy+A#kAFU{P)l_0f!dRF&khTI=zWxA;9;Z3%04=AWHs;2@6`Vl4tjV+i4Ku_9g z|NXMt8fh7S{AVHGJZuPmhakU_5b##$2}pWl1_sQ)TCgdky7V; zxFg(B+C4}4Gua{_7#EWMwK*?+x^~8Y(N7Meo<*bz&$H$nzIuKCM0dIVaie^yX^-|^ zxce_h*S7TYmoN7=C{|uJH8=mB@3;1!eADvC7wd^}Hfp=v-QT}?^T*qy|A)>k!?&O& zpw$?tpA?XDBFClgJ6hGv*G&1E_D_!cU&Mydx9=SvAZEPkE-wF{H|X2ks`)k$PtXG@p=!1&5I*FF!~rnsQyR4s0r6}((V5R7 zt*5&Et;a9Q3$Fa}BP!e%OJxkHjt(`L2@lLx?MPm|Kt2F^1y+C($AD{nM<@RHqh3kC zDoF?5irgu2{H12sFHix0*FYCf>O4O@(11*y^TNppPcq5+n}BPrx%SM zbQnp9REh-!nOtjIApH5SC)y?dMIhJtfwI#Q_jkp5@0e$$J-Y4Qsv&(O8y~v#9Hla| zRw~?|NLi?Ykh~)MD5-lwCf*HM$i-%orY~QvQ|SmG>az!ASDqPVZ38@S5C6H}4&pGy z$;kYBF7G;3UzgQGr9o5o8piJB=0+|Tao7A9vG{d?iV;L4Op!`FL*ij};D|X@l~Dig zO^XBq9hI)tW$M0ebb-X9M;ZhH3PwrgJ68UqgF+zv!}NEesb)&nq~Ie9s~Z<1I|GzB zY~BpT4LN_#Bzg(ge6#^Jz?t`rkeX1%t`|J9O)4SakXPUxeZPb)h{bdOcBr|VU~aDn+qR;x7NpY|$w7tGdl zp?WASO(IDel@rzqRz;(MFzoexCs#q{`s~g+x1c2r1q|l%;>8P+VLq_&w=lyPMmIaT zx!q*rp>&Fi^U5SGJ-SNoWa#bfFP>#^oI-`n!-veQ*~vronN4#o<89E9zWU6Xj`7Ri41u%};FOdUjI>G+Dbock z%TuUe!}j_cRI#*=9}AyJtUO^D6^`xEKwk2RDj~~aNcWfx`svIE}N_n{!F0^k?5_|A1Y@lX1*&Gr#F# zn;jgmvwRWCHSPgJgJ5cb=ryljBjTN0aMwRF#u5Wd>@~o1n4KrJ0Lpnimq}Woo@nYJ zXeq9GsG+UB#l0c*=FRi0Dd@fnA2m*19zLO3J6u^-{mTT)v?+q}ILl7W1k#|Ax({#P zLaRV1@K?Xt3=f!jdaJ9ect#`TAMhA!Bshd=K;ZO?WtIb_!B_RrN zo-Oc>|3PIg+M#|5Q3zD)!~6GVM?G@U^2ETud|5sz7`X@88}>vuB@j+JYm)qBIjeCI zm^%NSi-sy|{?t(816h_<%_Ft@w=Bj88BUpS>LIO2S7#l}It@2aAh+}eV@j-y_EL2? zV_ClUc>0ScPt>)v6ziW`=ll}hMp8&oXUC3Zr5BXTs3EWH;xoNv@3k1A$PkW?>g?JK zXl%act`li2kKUC1Acd3@N4FrgdS$>cegr)gxRQGYIA4XBRE^Uk}Kh zqfO}fT1qD-3dHNviwq9T=e~K~*u7gM^kLqiF+1m--I_VK$}yP&0^zgZ;X{-}35$$N zuL!G#BwJ@i1r6Ch?8x&Z8VH2$%17pc3wqD3 zkxFN;;{`<|OHqNc^e`}pQrMgz_gmZQNl$4^|MV$Q?KW4M8U5Eix-~4t*V3?-Yudy? z228!!twqkduk%>3EP$$gZKbmag z4Kc&>&6Hf1$|oL~A(y#tn84e-i>eb`K%Le4tpf%O^%7JMEWJ=2L~7wve;+X}UL6(7 zw~^)R$S|DX1wLF8HktA53Yk zuO7UCk8bANpB>IIL5wFxqHEF%EWh8_UPUu$!r6Ue*Flj>{)ouc&o-;0*eWVYM1Dg_ zeaDW^sIfW)gQpkWxN(DqHWYt-d+x<1-TnJ7m#bU!yb25gTS?w`_3>u)U;4RFhfhfG zU;gXH0L$%+`$1d1XadJdsHWiYxT?|R%%csEmIPo|>g|0%GJ&PIPGMa)@d+Y0K5NTU zXt%5ii}|SOy}A^ig3O!Lweglp5-9QTW5fk&GL%gf0{O=-M3k2|Z`yBX&*mTkh!@d4 z{Pdl0Fs7MVN?O_j3UH3CwY3w59ig-WfqioP`Fr-l2AZ(QNVL*8E?64s@jBAo7Hx6# z3owhg|A235ttvJ_j62to3>&xf#j|I}4s2B1haplg zLQI6$Lc8zR{rqofY1+e%%nJxeSnMg*b1$CVM336pObQ{m=x=vY-#t7`sQ=R7^qxjgpRfv3gA({yza zik!@^j`omxXB1snS~_XsQoru$aolr*G3&G43R`?sRr*uxy(G}GU>d6Vf=6wB7BJ><|C@MWQtn>1%}Kl`LzOncnmaL&XqXGUz% zIsAP+oRoFp*wObteNr7z+D$Q=I^L8iY!lV85e`S_1?udEc?YGLFhL;5_`%YZf7+V7 zn%V)?aBgK))fgV%PF!gf@P)yN=V0Lb_3f)RWr}OsTA2a6WsOgUT`lMoDIiRZu|WXL zIbxHvY&{7sPoZCcx;O`dHYX<&K6Cj~k(NpColz|t!y8x3kze7ysGsS+qS_P1uaPvs z0a9mCE`eHKiD2==2ixmE2{P-ubgF`uur75m^A(V&kMf5Q`&y|!Fz_C~6W`E9lA-4J zvdH#(N(=(r9LW~y;N}Mz#?T3Lj+d_*)kNIQ7sPINbJGkpHZ(#ANGa#N=YaBNYuDmQ~yvSr%f+52C?=U;JfacR_h`S9Mh2ZtI-#vd)?7P1T@NA$JNV zQ3!F9go2L-YZe9%A&>`Cn&# z1L7UE#F?irr=|+;J!csYFT*{tHlP>^um9q*ccjrxYw$=zLj#yuCo|+8>N4*%Bqj#fjX^Ci{0B762bzNA@ma_nW&C(C8u6`F{u}-U zQ|DL*l~lr*taYOmg(jR@r+Vf{_L-~tc0nv3*~I3_yX#|kg7*FU`w|}r{b0pnJ3(eV zH6`X7SWDor9PI2KDR|2oojuC;JiEn#a-WsnCb*{0qaM=~TlZi$zKV z;7>_Sb?4UY+NJ8e6NyC``rzQ3H*dCkW|Y*u9&Kt8_(%>Y5nU0pWJ1&gAT{|UNzGI> zwabD1Ju|4?M@5acL#tDZ!hf<__m*W<3uxG~e(%Y=ga?0$wKP)Oz$0r&r{B0iS4^QS zxCxf;#fz}i^%cca(XJ2Z+AM*WyOyw%vr{uSO;eLasie1alBk}D-N2<;r^O5WG6$49 zr^F=8TYBR93aaoU4fm2WM}&kleEsGo-e86)(6x^0$!--vgZ)E2)ZlA<<-`M9-$z-M zjT?q$4xk7`!5QZr(|uU)9<_%NR8!-j{?5gu*-Nl2tIOSc18v}F($h;_Cgo8gQwUVi z@tPQ%A0Ho2mPm@oJwWC|oj+b=ncV!vt4?0cLPBe|udrKn8ArkGpf>nr@~!#`Cry}P zA&{`gW>^&zE(P3-Ta}IPQG(w1S@q0^5B3+k{jL*PK;8hHr@PBH_IY02SCT6X>-zPe zmz-jY@{a_z&u`fhy@tLWlH-X?ftho1aKUv!LlRoUuU~gb zPO|=^yuzE~|I{kf%tJmE$Ifp1&G z9V&J?EJ6E5q7pPvCthHog z7mYWFLwtBb{_dx34V&g2VZ+JOrs}8$Rpi$F~NL5I<#8OEs&Q|Bz%=Xtv-ZyC2-1AmgzAh-6h;M3Tlwr<{&5p89oYR}KD zI~x@>D^8Fu>pJUahhdx{ng^9oAE%^FbTarz_JM;3S3c|^@SgM6ns%`!6b*zJTqB4L zkLaWsUQmNBO+FwwEiI4-(5;mu=te^zP5rU{b@SJl$4DfQ_Yr)!o-_odrYibAc=!2= zP5<;YNZhd8zN-Tb=d3cpyUW^$9NT7LZ-0r(tzisT-2Ru$=4xuhQc{4Qst07I0WbF0 zOzP5a6;rttmTUw93y~j(>Any-Ok(18AR&Si0w0|o&la9BRiws@A0n$mUXF*4z234G zmwJ`vCv7{2!e_+OF7nIb`ylre0JGhkoE#&r1m?r0#h;Ifss8+VSyxT?V91lc_Kk))S>PR<`*W~Gvx!2 zcM!BmoHuz zR90k7EYCk)au0b?f{2-ym+tnV+#O0v)Osx_Iw6Ke2E5`W^`y|4YXoG8fw_i9PGsJFvE zr=-BiW$%Q11Y-!_LfOjD!E0yF9+<0~VYEDa9=kc|XhxQO z5`^@NOTLc z$$Fm+?JMveu&*oa_l^`E2abV(EM3DET82eI{!*RwH?ZEgQGsa-S~A~yl&^5q3@^-y zo(M}j428lP0sz4u9*6BEJU?X&Ufzu{Tl5de+s#y2TiZvVa}984HPg|}?cTVuOoz&? z8aNSn1Xd1rw@p=BM~B(TP-g49PlHyL?#d_xo;s*aoHX~|vKTXH8k+=&L3$Ku2o&$2 zS`R+s3cr2-o(=$fR#~Qfl93RI`aiMJIxz3#a{9ZSF~!@x4z|QuZ#cef-g6&iX)*`u z;a7HvG$d2U4*fNE3*E=$n@0GoP^VF$PS}|_p=0Wz&}Vlmw^{khCoN`4<9{qk@eZx0 zOg3|NrXd2ajZ`zHh?ZVj9;**>jfHKs6FMb(h&wyfea#WAcJ+j^SyB*x&O1=Wsj3#e zcyS;1z9J8qLD?z>vS35{GUbWKOD7ifwR%N^BYh-gGj94RKcc7Q#9?M&nVmCfD>^*v z>j@nC=^s{Pu^3b9@=TmqQ&SU;&qQHaDfbx11Rp}%t5AWad@KI(qelY|&yHSWqatay zn3+o`R#%-+n|5+=$8jH3A=kMvnhrmt5yOH7kxTG%La#WSq5yk*wRgE}ql*^e3gi?( zs`|wL!`z$4bGf!{-@jF@=23$*(4dq=8A>Ip)r6u+G-^O8O`4FYQAG)1DZ^To5Yk*K zLz5v%nHngBgbImde7@&TTI;&keSPlde%||i-q#=3=V~R+-*FztzHj@sZ~Jys9o-Q~ zdLx*|!GP->m4QW>@ zXjgSVJ##~94Fq&mRoA~X)-<6sHrE4)v+Z45zt#3YGOye=0A&r&H!kuQO)2jrE)*GQ zr{SH1^=h9JzvP?&g!S!=;DJzqDg#+uWhFZjmc#mpeH&41(2oi%)(Mz~xEEC%1P=m~ zV=LyM)3|Je^v`*wFtdc80Q^5=H>)+0_TS4C>T09&F{S83-**V^Q6p?YMMFldL_>8ztMdGe>vpK(>W zqz_pW&;p5N++UQ!De&ngf$^fE)HF+bv$eofC{j735S5Ls%6DroT(WYd*Lwmgn=Np( z_MKDy{+|)a3Z2;U!dIWFiF{0pm=C5{C4z3gxy-nAxm)52Fx}%1uazC1$veg%_Fp-C zHc$;7FLk5X?H3+_?ECIU`@cE>vF$i@t@lnrt%Rz9Tmh?PcJ-0aI3anV?cm3=EG>gc z4#(bX{#MsO#-W44FQ54vz#AWNPy^MvrK9vwr6-?uF>a8!9^)yvO<2HY<6;wmwNHRc1rd!+n!~}<6#%{okyLStM%sOvb4{h_Msj)`CiB{jt0w57@ z12=IWx^~uyidihzFR&N=PX_>H(9Ri%9E52T#$h&FLyJ53u8t}DeB=7{VdJOUbYXJi zmmkSE0JSKD1A2cH0W~%1ZnM$VG7P*RgnD&&6Qh$F>gq26?9ZO%(rtU;7&EAgxrqtN z>oJ0Y=-0LTkMio++2$IyXB(V7+CF>p#tz~l-fz>+1pXx%!h4evf2rE_~LY<-n3Qk@nQoP&9OaCqif-aY`P z+qBP(ymj_!sxuIm9)aClZKQoWx<}q4q;ui{eT*{@+s2HE)f5VPwH8Qa&q&SLvumxb zC-iZqilPV8H=qsEi<|-$qq%4XF-=(D(5|NEt~++jP9c_}{Znaeu0h3yS#B4I=r%OKPJKUR!E3BgE!DiMvF&z1aQcS z(>`OahQTbiG%p+@pq8zp-Xd+LhsGoET|_Hr21W0yuRh`|qT0_7`!X@}C++Iw>Qu4r zoWbl$LKFOg=eVJxiy)&wOFY(TVFGbLbl;d9=o^>eJzV1h-7d}SQq!G+MOI?0zxViw z6Cc~joJe$;<9RITm-A`nYu)iBqL&K@@hKs|{}@mbmG|agLz@6_pyK%q4i3hO-oz{d z^RC^ynLHx*EL_+#C+T4Tzm&7X@vN}QUOx^)4y=P{I9$6{ey`vKTHru!jCRbs9htrc z*)_E9Mp4*>prClGu1`q~H~0L(4C8>V9Jr*1GiwiiJq|gC(woFRnQGZ~b<2x0C*yFa zsCxPxgHVD>kaCzaKKiUR@_kKB2B!$FB>?E%j^Dh7hI55c8QnS~ea7}^UN!eK1Y}lj zN;89>UsSZtytA?mmxozt;O^mA#XKxJ%;HNNO%zU{u`lv1BTaM=W>P?|(a0X{r$>4Y zBa1VHZ_-C3>ieTIjg^_;_mr0h$RtFww-(7GMpC-wjx4?^fW0-LzC_ex=|ws7O0_Z6Z8cy=XJ+U8s~gPQhK+3%mbm$5%9AIMS`1&q zZ>%e-ImP6pY4!Sgn7PHVS>6zKbRt;pIXtLlnma)vf3yP*z zqNMfwBGi`p33- z>2Z5uF`20~7k#&-hdgWP!8p61_$B|w{4R5M>Ug2K=y~+(T)S89su%xhwAIwZ=RktV zPAbFq7tw2fo>#o1mfLdP-=vJRnV0c@psxDcvWHx{QgHJ>wP^d_a_9T+$lb(3tQ(|B zM6StZx`C;JC03uDo82W5Oi^4}S#en^q_5G2E_?lr|I$KMy}`j#eSlDp!L%*qe$oe| zJXKe2`YH{Zl6tE}8E0cMV2oxgg|5#W;btd6yE*e80x3Tq;98@%!*@w35A-mj8`HbZ zwfKh%VMYwWbmn;(psMl`&p4&s!+e;?@x@P*a5y>m@&As1?%&%TE;3s3CF{TGlJ>u4 z3HNuo=HE|CkDd5wB0HxEPXGb>7ZyIMX|)3)bhyW5BMSs1km7&-dGFJ%rmv=LX1@Qs z!p-sx^%I6+U~=gBjt8fq@DE(Te*@(Z{)FCqWzk>KKzEZict3mG%M(r)<0>RX2Du-p zH2p(Q+WdejXLQYoyw_JQ^mJEpOfWhmvg@Az(M_jolZ=wlWSVcO#@CbTpI zwm=5~^q5Hai_lW^MhC{Jz}mrl^JcFH3XPM^ZFgHfTA}y?F%TIAR>c3rkkKaM_UHKS z?d!7-&I*=yjUOt>xOwD)5NblGGP}dB*Y@hiecF{2Wpo=VHZ=SA^^UfRV)B3GQY%>r zYrzsjN4baRGFR0`ioG}VTb8`oY)&I<)YGh!&F|P#Q6e2>$ zl;7^Tg0(2#pvd8M16R{@2S*a>QS&oIxThv8d$WMWVfb8HTRtjWN2w9Wkl=dzF(=dP;)qXLtIOm1c&8#xvv z0m|XqCu){IfRV?@tk{lC2A93`SIti5dCGyfapAG{+FCOJOE96U9kFTwrg_nweh?({ zb^`4A0GRo~FH;Rsornn%g+8P_Oa|C`bhH79u#SFuL5=-11^cj9uSObTFxaI?dOBvdqH0b5&ZIc6J~p7XSq8!C)_$z01%J8@(5H#eHh^!tRi zG96r~B>I_`CV&rXj<*2BZgkVqkO4A8Dt4!GOEw#Y`Cc{{P*%c6>`ZKy_9cR14g+(h z^=G$ED5{*f7WXr(r#N=Dt!lqh(Z#`YKMP!7&StxOdA_k|-arCWT*+jqrPtfo+FI7p zcscQ1I0ekB-M;Pab57OjW>z>HiO5#2WiQEHdS$^ng@G3XxPJ}A0OOH=2Tj- z#fA;A7$jU!ZQOFf1O)K0d5DG{_3NS^ViwV*?rRP1@tdfDu%lq;{VrZbPz0bs_-Kx# ztyOt3>R80lWNZqGvt4NZaKhljge=-##uvf3{U!~GQhveKt zNTDae+>PGcxjUg8#*MRyTB)g56ISq;T~96MOQAb?GOk_J#r!?r+qo^F^VZh@$E;7s z#V2cG4HY%fML(uhv}EyIh`H2Ajzny%Xzg&#A+GUh%%zVVJGkdGpDxtbRNb^o7@zhT zbw!#rs~_`YhsE9=&~+Ax7|k1618O2xPAnV~M7fAs5O2|~ql{zC_mUlV&F(C zC2~1>ZhG2>rw`%3Lh1w81;JF_Rb0us9Gu3GQ)8ph&c)zpH35MF2+n>*g_dG*c8IsiqlzZTif>aX3BjphJ_`xrx`GA?AUwzbZy(G&YLWrc?Kv!d|q2={(!2NRbgji zz~$AMM;!7au9naLZW~REqhuzP@Y0bQ* zp%N8qNi&y&59|ADDn@RlsDi+=oQfLr_3Km1kuAnX^yu7nd!+A;mi^Sge@I&bkm@+(FzKXZA5l9eo^Ij-1Dldk*eU_ zil!2EaZVYNIxoua!A3-$f}M!VR6}Eb@m4*LJ88_AXD?qSG!Bz-Th95&w9;599x1fP!84E3e{?>Sx*tQ&;z^ej%zdR@<8STf zWav0!WHt=7JjeqRKarzaOS;x)Mvt=pNlFT%^X(;q4h z57@sP>z#{~GAu>1S>aM=*mIbBkYP5}Ys;&68H?D8~(R6_>mE=#b3B+-qB zNiJNy_0sT2Q*<17nNd@~OU~ZzS^SDmj!x;}!!|utXmieO$x14fD0X8UOiUgcZ7;{Y zQe#{pzqxtZ7^4(%&16MHyWRK!S`6t9X^Xk%ai`U8gpS>nE=V}=K^dUA4=n;`g*nO> zW8G#8lBI1!%fD&Myvoi#sW^1^ZTjis6!vB$Os5o>8n<2QEqLGM`%6L;lahV=GNh}z zl;`>(-bLjM?Ll~OojwGD8D;?waON9loqf(><>?sAsJ>a#1|pl6Kny``yZjwdgh0Ag z9Ve#5pv5wW>3<$)P)lBNe(lHf^j^-ojxlRV1uu)&ZP}u)>uAb7J5Mcq1i;)^PAsG-Z(?5O!^?Q0f}25k9DHK zh}sJ|yN0xbz5O`Nho~YMh9oDK+eFz62%9_cBU})|{pI&)SG-9psx00pYMhRHC8GPU zy`(A%`kXh&T}PjnJ@_(c`k`%W_5G#~!DMfbjm=9%L3`J$<<&V`GBZgYig8%In$}MF z=g)vq5)FA7Z3(KE8#nsEe=S>vlyE>;%%N_NHs2htrbg?U9zXnJeaMQ zyRIHQQkAGiuN6xq5}QY2!u7S=I+U+72|JAjbeYkg^YF5FvAEP~?c78p-KzZn8~jGg zPE69ceK!y+go9fH>pT5Onz35QBne-H3_J&|t$p-@7~{JY(uczP+7VoBk5B;$+MzaxlbD}pOjk<7sEwB2 z94}!Ih0>_H+Qn;RlTN;HR*H+C3-Mm_#}vCrWO_3zYULIvKwbc7lLe>aq!}=N*Jd0L zDLLr@amJ&g{mWk4t3!BliOrfd*qeS8qcpgE!YGk=)fgsAlKkrz5BJtrOrwu@dDH`x zjv&`jQKCFcCa8YD9Kz6dz~a3DQ*(Al`80w-eKAN}n7G^~&=4hTlK>|t5;Y87xe`PpsShC7!1R96+c>$M8 zbJ$=i)pH}pvC;C8?P$vqdK1^*h>pH!kn7}e9?n|+>RBl5wE+_5UVIiYBkreRfQOOo zjvsqU)HDUzY{ei?f`Wqs7TTlAID}Bobax8-MjxrW{Lx5vT;$N_v3r@+Z9$V9aZ=r*!e>&t2QJ+I;i0>us&0 zbh6lFko%E`<2+n>Tp(*86HR48v^3J*wCPh^+@T7;8WJ2?=3=kt;Z6_eilR;5;Y6Ry z>tWt3_v+z2{W&hMpp=7YgUye=vS3yf6RXAN=X_iU64dPZBgr@#$BPB2D3BOuYB45S zM1(5*LfelB0SKj%0hZtS-L@B+O}ZFVX}mp5#F`~K#F(lDeP@yvF))~3F@@&mW`l3kr>+X;fG*Lj${e49%RIPym$SX4g~2whr*#|HMB{Qg^O(T;wyyTxjB(nVGyE+Ed!6Ize4w?lz1R ziz+WC;4^5uxMdsVOcjqE0m)q+t>Jyd`IpneXZu1{lYddzq4sQ7XcSN}`6Cb>f=Jv> zhyEl-p%bLLp}*pCuSg>Z@zi{mq-&Qh(ea>U4mg#qLsg;~pw!3NvNSK>cG2l;V_oCd zX3GG>Ow&EBxzbQqwV&rUBeSVO29A~cdB!G3zWEF&=3sElrw>`J5&j!a7v$ot>Kdx5 zy~G|CUnN%=aKhp?tNP5Dd2tofG8!6;OL$JK^EPryHp5lcEqeHiU?T-ChQ^J$bYpB0 zUN;sR?TTt^Prb33w~1KCvEzpdAG!;sqCmZMfbkXUp?d=mpsPWZxuXX5(eT?K7~Yp+7j zzJj1Tw^OrkCI*CxH?!Vw#hI2CqjT6fR|MVpJ;4DZ22d3O8Wh2r1FsE_R3z71{t6ts z`YLSs9m`0L$~c($&TW_UHR%E1Mn5vM=;)88VR>Z2VK@etF1kF{wT`xe@d)i?-a5yo z@6y6{K8Y^JkAKM?%jW*|=jLwDU{T&yT#EYL`JJ&lnu{pIY59ts{TMx9$51b~X=QO} z^;FAWqgIxoGs01{)WBvp0XQbJRCn>`WF~MGT+kMA~ z;^i<2wq1{=O#j@Th#Z%og1Xjmf7$GrNgygbW?4)yxpC%6Zh*szfa+5G!gQORbKyE* zF;1bB#G`;-J??>|v}#`mTU)`85{21-0T$-wd2XW?)1aU`!Rx2pcTAT?qMRqd(^|XR z{ggp|k7_PNE$>yl@XvXNKkwJ)nus)7gxK6A>6AwyDW@wdH5!0=tSt%~;iO3q@#v0T zKVD!sTH1snt$?J$3wTETuor;SwsFh({9TnH|c^A`Dh78;QtPxXrRA%G>|1k&kr}V34KU*4o!|>Z2t`ew^o4h4|3d&GS~XZ~xraY1P8g5YTqaTizwN&vK;BcU=kd=5YU%pJ+8Mzx*MY<;*x}3|Gg` zBWpAlEr^W4OpD~dY|)So;NKhKz@Tr;q4 zBzqDmYr(XH-n0@N)eon#s+`9g_=&0I!X3Lj|Cy$Wa7{RFQRY z0&0odUf@@HdKjyddttvJGqDl_87-3MtpnHM-u8tRqs=L{)De#meg2Fja?WrMC_6@o zSe1Uqm<(fr=hxbMJhX#D%nlE+u?*!Nx}uje+R7ZiW+GK$s^MnFy6g0h+d{jSN(Z5{&st9wWt64MY2c0L<>`Zh*+D?NTb9L8vHrBB%{fjECzo(E!a4)8s zCqy;;TCYJeCeQMNcrMFhR|r$r$v;qHlUr%&;NVK?7du(|CBaQ!~H; z)6eYe0RskLRDf6wX^uk|Enny_WWPzMgP8seT;P@@>ute67{WHiGty2a9?|rz*X-yS z*@jjASnKF|zqIPHx>D-|=1V${T>5MDv1>9?6?DAM^-h$X8aKsU@b_V*l*e2V1WALlp;4^R+C2LulEVl>|A!M$0}Prkd+N*XameTacg6KZp(Xm8I{mu}wzOxyQnSwtfVD=PTyedr?WT zfY_b&dw60sRoeW}H^6wEt4Cttb+=+2*@&gbvktA_Q4BiM+{ z&TV%6HtBhShagiB3W|!4#{>&BZ0?Je1Xr_&(=e!edrX5BhjWs}=MC>8C>T&J3&R#- z$s%3|w$v}mg?piRE)unvP#FC}D37_b9Sfc7*HIIWlMNm>A(7Y)3Z`g6fug@UytjgG zT;+OI`Au*&U2zoG%q{cigRdwn1qH-^EIc3Atvym8zxDoVVW2CnR_;5EoAteGa!gc1BO<)-#DTf- zt*R475$=7Wh$V|*!ugBM2p-D5UCRnZ+^3KgPX;|rP9Df~``fpSa1qeON;5JuMAv0! z@HOMvwHt$nb4I__#mC|4_>xszejKs@qtvC8c7*!O+C?e3xqp0ZH6bsxN5KJ-TxqA+ zl;Hy%OidqIt->R`mvifK?{jVpydtaw^Y<++!1_##^*4{`wFbLf*z{)OWA@o7igKVg zD|y-IqqrFwC>V#Dx-|iYfs&u#2G*}%W%|H1Z`U0nUV$ZALezvWP)x1{s;^q**t=T> zQ-Gtpyj@?<(t=lOnd;?M8m32+xrW+EH#UHo7yy)IPl02|Jjv&udGYYRr5ex^F0?SSy;6KD1y5N>HmV3xvOw+RmVSDOW z&H!go`cWM(DXe^>ElDLaNlQzqSI0+dwh`C^0}ocZ1n9QSLcJs9lvcb0!Lxk1epA7Y zi46j#VrJmDYPYpXf#lousxVwdV&8Z$!_SOUGxTQGK=D95uvc8_JdzDakrR6;z~t~c zo;{1*E_DH+|DhlA4(7`bLKJ*Y;R8Q)P-ChOn=Qa<;w#3YNTbgs9cA<;)(EltE{|zy zda$wU{%dXWpPMt}4n4<26ZMbS>OW!Na#t9ODLa4AbfVl8#*8T7cu|k?D;Q2$E7{Xc z> z%8cmV9wX4R1Ho?L?>c!r*N&^F%n>TqPP4Nh22p2GY>(a~Z1TQ8Ho2&NCsqq$4cp6? zkAzF%sMvG@(S_;+(k;hT04#+?Ue+hGKY#N~hy?a{=_0%vRTQ&a5f?&af#|Cee2RL^ z$Z<<4TDD}#*goDINvCOp^_1+#1f?;3ZmKZw#AWX;y3y)V`-B;WHd2*XD5!Rh?8Ik7 zt3w6fmXqfw^JCVZD}o#^cW9z_#R9NhX~9O18;!V=iDh+4VQFq3p<0*c{++m5cW&tU zXpBgy@QMDMIrNPPnUlN5xF!`Y#puId6@S_>DB_+Dt66PwZeZWOW5y}Cy$v_8)mDC= zG}>UMm3fD_E`~GhrJ4#AyHi$J3hJi(mavq&4D5wr?~51AX-T;X;3u_shd7_VvREun z{lyssK9DvPcGr9^IN7$ZuSbFqVyOyU5AKBQ*q9In4mtl3(8`B^2*Kl$w~~U6F0HaE*&F zNv(WiyBuP)n#h)%TYiVsMKWUz=wlF&z(SAjEC`{Fq-UcgE_q@3Yr?+P!K?B2B&4{s zWe+JYKYR%G-6S|k=G`p$^vSbw3GJa_jFF;BRT3FI%gprRN()J(@`oNr&|61kfX*)| zV|?36MK;dlr>~lm=DL6d2fyS3f`ugr*Lx$hFbSo$zs3e6{+eFoN>a(g% zpV}Omy{bzm1PWGIXuwtbZQ8IQRZ?M2it^eOp62h$PA)n0kd}$qxqw}Mtv1Sh&Fh)` z&6Wg(Z&T^T(J-7eX;gkS1O3@!P1zO8?N`KA%j`O<+N#rk^;u8d~k z4A#g*FR4izuzh@7r#M_lex;?Ba|rD@WlhCdb^Z7LxV7}`2sst8P_%!Yci$kJ)vNzx z9<5`Yw^$#ReE2r;FWF3RU|ROHgvcOVW?-THuUem_4dFPzv$ZZ?m~v=Vxc!!YwWX?x zz}%HD%R6^(-D1X?zC}V`#i8H3y&bIm524k+cwYSncdvhFd;T)i`X9ci^xuoH{&^W@ zi$ae{Xf9e}&whVJAb^e~%HNIH!`>!4aZc~8x^($+#kz3&F=ra5H4BK;Vj5{sK(<54 zD#=Bn`?luhIS&s7$#+h64Gl^^#9mLI5VGGRmA-AM87Re>)S=_4Ftg|Bzb{DRVjQ8Y z4*$L*t7LNR^nYE~#x2x!$}S0^mXAyqQ7wQVNtartzeRjI*W~bzD^vfE)Rq6Y6@mYm z&M;#)YmWEIjvYIw>KWeF)a=*ov6}-)1cV1OPF+F_8Ss7Rc;%nkvnqXIl+48iiyI8F zz?zEQOt(>MG7U=iM*o%E4>@4f8+a&L3H&>NS#GlrOdD(-Y~$;>e)(UT!;EtoIn!&; zs*Wx`$88?Cf!Tz1{8!Om$)w0kg@l|l))|cHUAXX{>%S)r|%uf1q3KZ=&FDUK7W2nn~oZgh9z5x z0f^VHYai?y`}|?RXN^h1{kq(B<27eEWAMItWFz{B6Qa1Hs9Wt`)e5J{DVCa4M=nlX z5`9i?FWq(L*aL+bJsoaWTd19?*}V>{Bjvc*{rg*wHaONS{cX(g!IOg^jUW>NMx)h( zJvnF05X*12MmgNA*1A~?_iq$-4h2sz3l#t}z+xx1B)~hg58xMivn@3GL_e>`)FiNj z%+H{~GL_L>W5-$OHuwuj20rR>KZJ2e^s|_ZSDj=6xZ$n(+V~=uRF?g z$j^8GY`tyU;ACwZQ+nfzD~>>?@yuxKBhvsWQj>NjHhjjf0&F4r(o<$ZTL72w!5>X` zkrtOnagij|D&;521Mz)vF%D+(D`;9Q11cPuE)3Bvl8;hS4&j zALqnKHR)K)dd@x%_RWBLsaE>F3;7NLkW_W#UH9)##ZH$q+51EZ_qg zRWu4GJSnuSSkYvR=YG5WxcnQewL_-$)I=Ftl~z5l(Dr`AXqRF0Dy;6}otK1g&~ssY zySSQNa9pR3xtOQ61N`@WsM#(ujH=agDlCSe;$)vIR>Y)vfZ^2X55f|4NOU4oUBalqfqb*oiX z#R7R}Mpoq%f{t9}5Qi(plSTsl@PD8p|=$vTo9Xz4Z=g4$u zh?S6Rl_P`LWx`}VrU=_=`WN(K;68tU0friV3Uikc8{g#Q=$>}F9Ev_JwC4AMx3ZFu zvRqVKj!;1{v~zo2I&TpcLBkY{OKw^V9}_$4op?A83RMtHAubaOfk|`h9}{KqRoHmA z)iu~pa33~2XWG*RbkpF};O}Uu>X{*{H!?!nirr-pcL1u+MsXJ z33Lg%-TwR3qpTf_J+;NhsET7;xq$;0MJN0qhQumdrKF;!*1L1t!eNu!J0N*xk8q1* zf|SQDB!ww6f2~yW)-nT_nYV57_<}| z*2IDi#><;qv&m-8VsqW6Pa%bV(&{-wo1EZp>Ao;3Y}pkxld=yx0+sa1o(X+AIe2D$ zLOZ0kxF8{htsnO2p0WGA67=p!T9thu&com3pYVUnC^vGmZ~gL*SXhokzFDA{#^|cM zGLcEYW#m&7FpI_J^-`lK^ua+&&42zH+du2M<_0-9TLt^P{E81sxm!-COkhcl%_Ky- zY{%`aunmFYve~-`m=ZQSN63;%zHEX40XDkrU9EQOEG!fRebuAcviFCCyCPfQ;L@A5 zv5_~NciS3ni)>f6u-7#fIG}KgLrKX}V`HwkMb1H$2GJpQtYOE);<3Ak z7-D0a@5@}$xOC4(46KYt^eSlc*awk8$F}=9=C-Ph>k1AC*?WuSnR8KzN8GQTi^xmr z)TUM3_O0%TvPoApyHkKt4bViBe0s}OLraSxCFXh%vMF~auh{nZ`CQi+(dJrz<5f?&2giF@5vg%Cjj?^<3t~O>2ws1+Q zzFI>+Q5On!aJn8>d(k)l)pj*H`I-IKYW0`e-giTo{zbR={9=O2^5rOt#(6m>9%G8n z1XW$Fnk0I`T-~4Ls`o05B;ig0CfJ%iY;*!2-w``2XmG8JI6^IvuP}rnoj1Zn;n`T} zw$Q`qybvT0>V6_EG(In&F$8@*67lt`Kuw$q+x88fi5WntanetR<-0Cky&6;1&F%8G zV*kAO;!?zQ^c@*L4G8##AO`J$C|aV0@~{Pr$#ri(XYO2X2!oGjMqetR25PTaOHDXO zdP!xn>&}wy3M&&{n|pvi@1o;qkQhI_#JP~?-^>|+9|hB?IHoW_J|xL_p@wQQW}Jx5QEJX|u> zcqM9DRSKa|MT|1908|Q5 z{YSyc#$33)>X~qlC$t-+kFO755cqRr=l2aJ*)^s+dnD#G>G<0wXp;rIKQ zbmme9`e?7X9IQt)#Og*JWXfpE?KA@feY~iJ$P+mjU~hv!Uk;*5evf^Auhkpj_yMlr21ZW^8ZK^L1KHm<-7B@sQ49OBCOqTD)hCoN9* zKbba!dED4LGxuAaX=jvbF)oJ6Puco9Zr8cIQdFbc5&&Xz3J@7c>(f93nZ)N4^9W3j z);xddlTZA_Y?ST;6O1=*R69ombQj~FqzMcW3vv|kxVz6Ba2_282oR+@)$ZoA0c)xD z=L+ct;;TbAv+EMD2pehg5IROHs}uHr8q_a}i(5oR-AqZwjgU$VTuV!VJEk)66Ake0Y;L-uJK{jS1J{#ubb7$+ zWhmgOJ2$5hG-*OzbTOi0N(Biq;~0k3K_}d9FvhT9LrHo0 zvk&W0s!=1Eng(K$=FDn28n<*qxbB+~+sg+qTg8!}q_L5K7fcJq-C&wA;*nTX+b17H z=LVg&v`3B2=>x3Md=LihAn6k(RMa&XZzv@*${mwM;#$eQGL~&$PR-kX;_ardwbO?n zxx02$2DYA_F#UaUa4+W>QYL^_Q&s+lbGA;f$rRcD@GNBG*CDS&XD9aM#@Uf#jNra8Rs44pGP-nL;<=r(kHOGz}Tap%Pziu=_7o1^4xhK#5ATk`&%(HK8yK0ua^wO%S+S=MUNo9o2!)X$XxZj@`Fw zUpuMEHrEV#j2bcGL=THU6pv2b-*&FA`d9^pFmQ?A)+*;SSFSAZV=QAUh3+e~fFkw4 z^grzoyhhood=>w)OmRT) z?(rMagBhq|^*MzEGP;wcrK96qr1IZvF}7=KxqW+vYc#ZloZPyPFE88rInDZzb+arx za{HUjH*c@vW6Ce|T~M;Lulm+Mst&H{-Me?mc&-86ZeZX!vGSK+eks{~_M-q5UOJiy zae=SS@AC6iHfP_WiX?mN+qdt+1^H5E>62HkTmfG3HbWK$b(PV~E}hhF=uDTx&dy26 z$>AX(m!CRL987)RQ%>*eyE^aA11GYiSCMQH8yoAtd&ucme;(o{IZtbl(*y4Jeo0xi zr`p2j-N}9$R^@CS2?+`LQKK>%S;0k2X*zD&XEB!Y&IA+xpCM)6Us|=>< z;IDqlrT_TNxv_h%1ne$;5n;S^>8aXncd}x7nZJ8@r2bR3Nl8Bp*RI+d?Qh$~eWcz& zO}pA) zrM5A%{(B{#24;kjKhEwbd3lx+n$YaY?_<|IY|o3{66Kb7Y4rnk#CA)|3poGw$Ln(B z$dTH!XaBBhz97cF;ckSH%Bon$hYzQRE&q3@vPwQ;t_M*qV9FEl%bd%9s-XMQ^ z@}6DDswdto$(iBYhhg-PKR*gj_EoXvC6|v8VxO`}LVC!;o)Qvxdb4I;iYs2@$G{RY z8#HfTciitby}ma8?948G$HXQ@&wdmizwX%|Q}u#Wl$0V^;E)jQsEt*tsz1J39P{w> z=TCV>MUoN{SF9@5R7nG0L5$z8^gip${+Kai270819dWKQN(+4zs`kog+TLQ00N_i% zapGm_U!IcJ!6*7-38Bw1?QqLs(RdlVw>9bq9#dI-n8UKfb7<@4q}JJ6wL z+s=Il>6iCmkx^zNYT$=K$CZp$T5?5p!h~1FJGu^>xMr8uix~D41r2Q3hE^If zG68H`_PHW46a^xnfS(Msrr>K>Hh+E(7SZ(a$;)fwd4%+o6n+2q-_!5-Puy8T{78EI z7=c=P9TOq`D(jvSxDR!c`K-TU;Enr@WZE622TJW%F~`NS6MG(St5 zCG6L9pGAh-FdVEs5L$@~aD?Wk68Xj3^%Qu(&Qq@nubZ!xrm>E{5HDN~AHF2c7&&y> z32_wEix!=v@yw!fjESyQpR!&|+T1p`sAxRT`|9dCZ%~|z`ua+w>6&TuMmiIOHl&YGy7m2Dg4@u_FJHoB-rcpXj62ppe&9g8 zPCHFGVsq`{hzLB|d3E95l>B(tZXG)=2qyuJaZhl@kWRj3*hyVE_t%;O4 zxG`idp2XD5j5NqjdRY7JcZ6D1>f*p@b^kzz4FQb}b$e`<+@r0@!!tYT+-LNa=&GaCtOpE##@b$mp`SxZOF}CAM8lJAz@*QWJXsh<;>Yp&p2WF zmfxSBo#k}kKycE+hDLJ^2KD@{t$9y;R5HqBPA%X8$Mk90dA=iA@NlhCcE~94X-uu% z4%d5oJ!^GC(p*JA|KUzj=)J9qL**V`R=lV4k zS1PYtNX}s4ZFcA|Qc20MC>*4l=sv9Eg&t(yc&^hEIR^dFf>KlrIi;K}j_TI~2M$m@ zgsvgdt!bz-oXeTd$YiVf6Q`tWAB`eL$TOa1GIi=yVNEsy+=mStMwzuX{`jYym>9Xm z>uRe%^_P}jX<$&e>kcHu&>=%=t4igvR`n+U05?Oozs058`iqIr8M%_%3u9EnmbF7I z8j>Tg1NdPudG_oC4wH!%>lWLy1>=eA(_$PP*fbk6!vNtxxZ`(zhdE{h=+VQ66pNg? zZUfZk`RAG+>N=2wG->ze>|wfIJF;VB<>fbgDM(!Bx6|um!Tf#u_rot|?3u3>cKGmN zj&@?(m$C8jau9key26;TO>Ork$;^ux2DFvn(!e)C(}k@VW0W4WgK%+0zyrAxTF{iJ z3GO~C#-WMdFDEP8t5>g+o}Snf0{zKTu*4_5ye@n{IdUO@Nu?Q8S)X!3oI1aZ_KyNf za^b>-hH)K7vjhUp9Nn#-YQoi$RwYhqWEb+&k}a}h$8LLhX|<}f#hIs@F#O5-wAgU3 z(_*)e=Qa0~3^_Gs^)y@CdiPcTQbG7t0dDo{u&d& z@k5866#%8YRB2Z!CiwWwg9i^Ly9gjnDA5{{trAWQCdLzPge*RnVGU9m!3OMgVfUx0 zWiw{@0Ss2I^sgGNRU)TmSunfN-r;e`!c*?>0!fECvCI{7*mkcYjI|(2txvro<&Ie!*SYF= zAElMq>FMX*KIH|yCszFcERO@?3>H=ONq2qlX&3eF@&4nFYn24Z1NG!bk2a87Y?mAF zA~iHkWo1sZol|EiW%dGC7;&7aTY%ahj}Oa8A<_28u@}k! z&lqUOgT~j^Kfh+4rZMD3Uit)-Y>Q-=T6)jep)Ohllq zRdOLHRY9BYg12n98?g_p*ZqsX3*Y%0P0W)BG2#PxV%>)v%eM4>HINy_iu_c8^_U&t> zAKAs#E`8V-+nRD=!#dxW_h>$f^rl^9wEXpit#`L~OS;JICE)Y1Yq+O(HqobfTk#vH z#JEG^!i5DMj0{Mrn7Is?kcxh(JZ4I$74?Lkj?U6+>*r&)XVZxmA2FYa5NWVmUW3F= z8vvfS!jdyRXKg*xC$7l-r9c2BpHxN`Msc;myb#c8HCGZzF+v#ZG%cEZDBp`l@r z=86*E;7-$53_-4M452vq^%=EWUWhaVeEJ0M;(yW;lH^4|uy{HZyF!dz&_fjC)v4t#D6qL!T}$?BI-=bOs$e6gV|fL>&Q zqsyeNxv^B+$kuuj3cbBwWMnYbv+Sm52`j|_Cy08MtMugc&jzh^?w1+fZ&A9tyF~9h zu!3x}C_lIfUZPL^3KbQzC-aJy`+dSx)HCMnm_JF-!Q~Bg-@JFO2aE!SNjL^tuRtM7 zaz-thKmYmnkA4%T1muKe7aV6n3fzJ=| zK;9#%;TUr#D0J@p6nx*&1b*wD%Rx)a~1^kK%OudB?=~;{zwHiWR*I@km?g zEd>_5f3Q=yhp(q+;9{q4G8d(TGhk*C^`7-nFnZRwu;JKF=YBh@O->8dXbzjx!T4xN zPE6D9W7krQEyf(!&k0CewO3z9hm!e{xMuQQ-Fbu8^z~OhcaRFI?K@V)1cjlbHI(j6|gK879ZK1DHw(wuUpo+ zpX%%=Z&1z3y3_&M*=m(QVLA@sTT~L0k`@+aZs<(2+-IvtUu}!HqDbP=#0h<>e0)I< z;IKPYzOt9&SMDd>%zxp1`$M{1=IaZZ*Gd*nq%;i<9ua!f#O~W%I0q&uYh(NG>~iYA z{Lp@{PMRG#kZQ7FT;heqbPIO_kC0cgp~Dwm)m}XJyqQPXsX58Rm#F!intNq~vf62r zjQ{t)F->pgv3|X!qHZKezwbHPg4eeKehi`m}-A z4BjK!gOapIo|yJx>jj)BnG=^#8@9f87m~o?pN{k4WY3EciS9> zw9>G)1k3GFxfd?&B0c$b{>tIw+}Ll|!N8-J-@3FteER(P5G_i3e7mwOi_OpI%>d%? za?-U)*Jyr!zMD_Y3~KmIltKk%Wiq{c3%*YFm403XCm`^Fg9k%GpM2K;DC2SKe|AI9 zUGL?q@&B8Xv$nDsHY632Y#%2luefV<8AzxD!9wSRVX6mtJL@O9uV&_H~GU*zGIn>x5d5*(pH1z+wmaEp|8hAB{61M@A+~ z%$R1K5OQtye<#%cOE#!DvaTB0kotg3$wHxMVtU}Z!!jpjSU&v0z-^?jT`+1vch?L# zqCe&;uq;HN>J_#7c8*Pxpv~A|E?~0Q-p?|uiUeUiV5$hbmq;!etmnc;9HnSSi)_&6aPiN zGFmq-xP=M%V-|>Zf4gq}6hq{leZO{U?vgZN@6=N99KnH>|2dJ(;p^^8pZPx+oXKk4>@G9JzP6qW&G8L;$)6?#JJcPK0;-{+m^*8s# zPm8ywZC<=>X|U^D;PFHiDo8krm5XomrHOK8hI7HJw+8q;v=s58n4bkeIfH$Wg#t`DWg`U%ykd zQULEOS4#KlC7Y&VM3AU`PPv|NTN1Jzui~9|-hAm{At#eun3U1ZfD5BjV!_NA2gkvd z?Hp~jq!LA{sAg>oI24tQ1su{U2@4AY9}-d!c9wc|=Fz~&&{Yf1&ymu!wSp1_D{k2Y zxlg;*VQY~DhzXz$G726FfW@~b^z7&fhiG5W_YM41qE;nANZH`AV8x2jcUnd1+Es^j z`?FS6{!1|zT2@aw1eL~DsPm{HL)MV{S5|MD%7ewqw6IDdtNx{pLtw+jT*ED(LUAgz zZ#WwZTeHgd$(_1%@l)IAm7y>nmKTc6M!~zYG&b$(Mgv*4VI?`~>FEOK4-TH4+gWA% z`#C!^Xo`h8Q#1}4Jb3lP!#y~9mLdF7(Oc)ATRwTFOWz*7da3e`DJbbt0%k(zUg0Q} z?hQocON%V)#XBl$b{YbYU37-nyN#myhKyf9JlBCgEFPQwL6Qf?lFy#;GF|E%O$%0lDEn zx7)hzSo=3KpR@hW30DB3j-ibGUQ=`6&>`3(1RY5-slV(9yyzyB{c1b!i2HcCrhom2 zKDYn-oQwDwRi;Stol7pSnK66z;rhY> zv6oTE6()I8t39ql1uU`}*g}wqZVSE12}QoxQWYo_iH^@*F*3_uDK}+#?cys2T#2y!#Bm2{v;)z{hBP1dqDh0$K5}vqCYyF8W!83 znJxdTe4iqzs_WRZxdMHAtYyPGDzb`l2gHB8+rNd75Ut>6>a`dD(Q5o(PtW1{7OqBHD~JcHbFiA@knC=m%Q6r<8G_w(k}99AZQ>#glShPCx$3$P6-71En}1(9 z-}h!m(h9XkZJKHR=BrcA?~Shw({ePnW+&ZDYr3-~&h%z-!l^PD>0z^4f1D+z1OEOp z^wwRKRX3SA_0iYU(*BKKB-3(gKFfN~-7?pB*Aa*1@3!OwwSMXPkC)|p!%W*M-Q|K; zvHqsh)wMSr?0gz;E;DhK{GR6jX2PfITlA8@lo+OMse9p) zuHfLbaAm7Y?f$XM>RpoE|Hv)gIqLl6D7)98#sR5?q2}W!tFGO3`)tVh_0E=#Jz6Q+|+bR+UbECNtT<<`}LDQyRhIw=*5XezS~U-UH-YA zHrJO(bXWg$rhm}gn#ic6v`Ilh$)1L)u|j)yb2e9@E0o^o(6QrdumWdIKs-`@L)vv6 zU{#qs-t<5HfmeA(wLOpX1Lj!gsoe1n@y_1xbdzp%Sx(HRtQ(gujahPYE^<)NP;^sc z-OU{PNwTuj&j+udpXn3dsjjtg{gb7wR@R4Q zE#Bz!=9_yZq#bWKHeq1IsM46TB-F3AUI{b2_BJ74obJSTBb7@YzfS*tZAVR7QRBU?15ev%T%n#3 zBFf(m=!^(8T{GDy{`FrkCZ>G;?yOrp$=JUx@n&Y~*LyGC+}NeCP%-jRlSx)v940{( zZfYM9^abBn_x-)&V#G%PuK>A7mdWsIcm-?uMpu0ys0YL@_z zkj>GmhbRoy+%|o}UISH+w)TTCVI&^zYU=kS|vZN9zPov{Jx<~0NIk_twb ztSil~7atq{cHS~$+loi7%2)S+@nVP?TqpOPplvtt4_{diLm1 z@g+$~>r2AWlBm!zC4(~el&$v))+o`)wy*o7bhmt;&5Y~)diTD*>(kPmXBLgSo|3gC z<_#3N{g|ez(id7)=?lSS@=Y5fqRziPJJF{b#i60pILDzWYT{0S;PBz^{dT{lcb;;4XQ|@t4`-5;V(O1i`V2R5 z^Z2eXGi^RWNk(W!r^$66uWo#CF^ZQLap&`Geq2>)L=4mH3!Mz=V3wn5-Z_`-EQ>7i zN8A$p!tUJ>x#~|@L2vgI1)O@2XH{PjAJb5sHDUYv;P~Aooz z%4za6TsdFgmQVZnPMKzvo>J7;1=mk^Jij=6H@)JD%w=0Py}XonbkxOpTO1l{tAtk% zU5Me6ZK0>(g`paiPgF|kgM032sCuDQ9@~0@$LpyB=lb1FK0Q9PU5VV8x6$nP{YEL* zo4XQ!&-x#(nv<21=-!%+h*a4b6uZ4V`liWjHI27A-runJ_(E9 z-h0ZxC4qLIBa0^b@AM5bON@wVw5fO`iT`4HpD`)&;${U5`rj*NExa|0i_EJWhi5Ukq8kY3Mf@YrGtQglmQhD z!cat-fPhGoLApa582)F2QF6w6?!Eu@+?%`B&04O5M`rfk-~PV0KF{;gbH_g)Z@Z|G zhqLaNoTe#}+y7vVil3odPr5)jaiE&rhe{L3X|S;Q?A{!ICC*)h;)tlDHXhxslh!sd zRIY^X6ZW&Ik=v_l-c?Xe-V8t)mU&{lJ2~-|vUhxPo<4oVFA^f$hM6{v*rsT@RH+#l z(kZp2_ zlD9{hFWuZ6fv~QUU#M*!*>iDE1eLjga-1SqS0uv~DPDID5ver4so`Q}nb}?z-t0NX zSY_!t79W{ytyq(K(ze#DsL$z@-nypA>$wxttBBnvuxQb$ZVo52(J7RgHN_dp4^l^98Sh4-2MkM2U!GfcO`_XKuTiFr5n68;VXjj6Qm-_?z$UBx#eFX{g)dQhnDNOw z?c08p|6%|Bl3)|h*awe4?SXyPRB)WAf>UyO{cNDsUr7eo9CLDnYsVE-MosMQ&#&28 zSY#0tGa}MmkJw-*`}H=KS+yGw%E2dd0MOPoc5U~S%yWS$DZ@Xap5nLSX3SWGqTBVT zs6=fw^cv+a!WK+L3xUodVVpZ^OJg_8<=@c{zrb#EZk~iuIQ$w&v$#Z@t!H@4N7DCa z<3ZWgyN%rkl*d%>ut!_{wMS98{WsTia9^QP_RWSt|HkG?9sZLe9Oryud$zaGdE2(D z_~(uEl;hx&g*f+`r)Zf^(b=vM*Pfn(#7e#0#$JQN+=QphN_I zCD9D1xWr%T)4Zt4((dq^w5e>`J&Pc#x>V(wbd*-y;Z<{-`#3MW`0?82$Twbk z)MAI?OOriA+%|tQgW3waX{?eNRcMBSm#_Rq81-~&E)soIgFIld{dWvLUaD(&YPilk zA4iT<8Xy|s@{-+`U;g;<37YXTEa+|d$A}R{mCmZ8e`+e)z?F9SHk}OGFCHh9-_>fv zP;$b(PdvBoP6_fJndl?u6CP|&=cDG9OY=luj+6%As0^YRgnC4(=a+ywAQ6W5{jM|l z6mfo284?QaqjrTO4;=5}CGrCyr>D1EKp@MuIZx4T7-f^k8BVgz?rGG%8Vv{|T0OhH zo74#>K)(@>&7@324!=2&YhbOWmC|E>dgc+z1CaSZ|q3 zu3pk@ybh#tCUAf&!Ifv^3dQBh4jxiv8iyGUn)O{*xd&7At(~uAYg`Af@o2mr# z^4zl$MrL4(vlGG!h0=fxBCJ-S@!Ji9_mXTI*sEaM8X^^Jzo1&Fjkc!Fo3dn#dMh!X zy|If{2+w7gYLJG6g0-r}QhFDpo@)K$?p?WVOPi{Ebkl$hVV*+27`%8!yG65Z?*@Ck zYlC=n3Z`&=t0T6A&-?UK%qJI;vwNWgm-D(VE%BIqco|RvJ&1c6GQDFO2B}Rr&8*TH(%urBcUe2fMiK4ts7=+1@=42t>dGl^WN5_X(AEW$E zPBXiC>z2Ocw~H2CxN_wrolN;1d$`Gc=m6^lY~BQnLWEmy7FvaYItNg=SOU$%yjolD zahO_cbc1f+GdSRZCZ1!;k8V5NZVLCwb{ny=^d3QQf|?zZ6kE9QxB9q_B1 z2RN76oq-JTMVNBrf7Trh=MPg>25f7h#w~ll{nY@Vk1C%oP<;BZOAO|aWeSj98g}^m2sO1(@(_T zF<$Z7#CxfKgeY;eza@Wavad(7S{bEnn8KY1pHP_xh?6***y{^F`|LAd`A=4#N_gN+ zO*D^i{UiGnk?d4mL!2S!CGTCYqsWO^$OjV>NxpGW@79f55yAy3I$G$bw=u%4`wvjXm#!; zU4tfDN2sk%XjKjo^i|)2qfl1Vv_7Q7$LdYG`_gB4Zo^DvaCUv*jd5C=a394$=-JqL z?XNVO*d5Vjp~h28l{&jOue_T%J6QKe6l4^icd3iQX2>hXH*Dq9d$+f1JRyAdvt$00 z=RO4ikmrZxCmfbAZDIi1B}#~h3K&7+TA>}~kyFDBwy+dNlWY#VFP_$y-7V3bAy|A- zW9OKeu5IqX_kds2e=Q*3iuja{_gP5;rjRU{(8thU-Znx@28KNTbI)Rh!SD zR34BeissdE+I-%v#6xS~U|ygreE!*Icky`>#3cX-0ZV3-;}jc=BDQW{H`ZS_dFirc z(N0=yoXWzu$1x>@#X<62&)=^EYxm&n!WG9KHBTW5Kd7RYW_AF8;Whp{Qjtm{W!goW zz$3elcSTp%-F8aLTWAha2Gfz;r{1m$VtGmpAEH2JJDhv06Ojc}bvHRRSTi3Z7E5tD z$d5o}qC!QONEMhp@!OJ(%j&BJT3<;U*5zM{cSG$0g#CK|rrj{LT{?+kJE$J-y4t4scjR9bEQi zjPtcYgBG-zs^a4ttBz3wS-a-j(1xdCf?vgWtw$d{pYDBQZQy}YIOTecB4wP}bKn%o z*}@MM_crEKSKv%n)hv*>dliRl=!&LWoL9^di+HLfKq9Ew)EqVSA5LW;fUD=HU7#|; zkHu(RGah)bK=N=X!I4>_koWsz9j;*Q^K9$E|4_XbwR$X8UTwGT3TV7wH4dV|D z!a&(ldlfKfveIbEoC|4YL zjvxby^%85e$fW@QL6Aqj;lAivTvYc+eNUuNbE@LnV;88!Z4a25-6nk*R?j(sQhWV` zJo<1AT-{fqG(dGl)9Yt%4ic`Yfkh4vuE^XeyJl_47q0=xxQ^2liCm=4rY3=msF3gv zh^?CyMmk3~O;=BNBHp3lPfMuZLc!^h>y&I^))_P1nCSfydRqsRbaTX4WO{6v-cW_^ zRgKAc!;eN%TQbdx{Fn53(2sR{MRJn;2g`Jo97}Sk zwo~8GlRZb9Zz-5~_6(_)1|-wMT*~7~2Exxd`8$ghOq{4XwWf#2@qsl_aCkdMUwBF8 zjlPWUsq#W@s-vwcOIq zXG!g?4;2ZQp}(o`rEtb4GUwYKY{GTC^Qbf&VZjx7Dllt#O*!(*%kE$bxfsNA4 z&QFw1jLOaV`A`kbR6KV4eu~bX)Z%KbbsgeD!?bdWfkni4{~wvo28>@Mt^0CMRxdD6 zu>E#&WSP87wc?~^^nnKX4iY0~LGR^7-7T6L z?TeN{YnzAKPf6T=Di*t(+L}hc{oCD%`x}btbky(hNvVl_JbYEv8MC6I{|S87hoAqM zs+8Kq+@Aw_IfJ7?k~hc!20P!JjqWi%o7lMH+U>I9&z_wzJE#2dkW3+$pNeU&z2qIX z&-b4|`Tm0M;06S`{m_x;!6qX0LD`|!ufMuv*SV}PYo2L_tXfAPf7Y<7LGZO;r5zdL zbAa^6BRupoJNF+u)9(No_vVS#ik-`89cnfFc`Ku8+qyFG74EEjYXc!+YSG+djNsDG zzRZ|2XE-HxI{H|SE*T2&_z$iliM(}axZJF1xXyOUNvu$BVaaGBdF!fZ$0yoTsis*k zD~_5s@5sCD`Kj}!-N`e3?%C0cXr$^JCE0D_^Ud7