diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index f4a8085ec..d44f18d1e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -65,6 +65,9 @@ param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus' @description('Resource ID of Log Analytics Workspace.') param parLogAnalyticsWorkspaceResourceId string = '' +@sys.description('Category of logs for supported resource logging for Log Analytics Workspace.') +param parLogAnalyticsWorkspaceResourceCategory string = 'allLogs' + @description('Resource ID for VM Insights Data Collection Rule.') param parDataCollectionRuleVMInsightsResourceId string = '' @@ -164,6 +167,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentPlatformDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDeleteUamiAma-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDenyDeleteUAMIAMA: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deny-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformEnforceSubnetPrivate: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSubnetPrivate-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -179,7 +183,6 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployAksPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenyPrivEscalationAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenyPrivContainersAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceAksHttps: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -195,6 +198,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcDefSqlAma-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceSubnetPrivate: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSubnetPrivate-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -327,11 +331,6 @@ var varPolicyAssignmentDenyUnmanagedDisk = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json') } -var varPolicyAssignmentDeployAKSPolicy = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json') -} - var varPolicyAssignmentDeployASCMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json') @@ -384,6 +383,7 @@ var varPolicyAssignmentDeployPrivateDNSZones = { var varPolicyAssignmentDeployResourceDiag = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038' + conditionalDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json') } @@ -422,12 +422,12 @@ var varPolicyAssignmentDeployvmHybrMonitoring = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json') } -var varPolicyAssignmentDeployVMMonitoring = { +var varPolicyAssignmentDeployVMMonitor24 = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json') } -var varPolicyAssignmentDeployVMSSMonitoring = { +var varPolicyAssignmentDeployVMSSMonitor24 = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json') } @@ -447,6 +447,11 @@ var varPolicyAssignmentEnableDDoSVNET = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json') } +var varPolicyAssignmentEnforceSubnetPrivate = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json') +} + var varPolicyAssignmentEnforceACSB = { definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json') @@ -739,7 +744,7 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionId + parPolicyAssignmentDefinitionId: parLogAnalyticsWorkspaceResourceCategory =~ 'allLogs' ? varPolicyAssignmentDeployResourceDiag.definitionId : varPolicyAssignmentDeployResourceDiag.conditionalDefinitionId parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description @@ -1030,17 +1035,17 @@ module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignment } // Module - Policy Assignment - Deploy-VM-Monitor-24 -module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) { +module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitor24.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitor24.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitor24.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitor24.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleVMInsightsResourceId @@ -1115,17 +1120,17 @@ module modPolicyAssignmentPlatformDenyDeleteUAMIAMA '../../../policy/assignments } // Module - Policy Assignment - Deploy-VMSS-Monitor-24 -module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) { +module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmssMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitor24.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleChangeTrackingResourceId @@ -1144,6 +1149,21 @@ module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments parTelemetryOptOut: parTelemetryOptOut } } +// Module - Policy Assignment - Enforce-Subnet-Private +module modPolicyAssignmentPlatformEnforceSubnetPrivate '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformEnforceSubnetPrivate + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSubnetPrivate.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} // Module - Policy Assignment - Enforce-GR-KeyVault module modPolicyAssignmentPlatformEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { @@ -1459,26 +1479,6 @@ module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policy } } -// Module - Policy Assignment - Deploy-AKS-Policy -module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAKSPolicy.libDefinition.name)) { - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.aksContributor - varRbacRoleDefinitionIds.aksPolicyAddon - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - // Module - Policy Assignment - Deny-Priv-Escalation-AKS module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) @@ -1725,17 +1725,17 @@ module modPolicyAssignmentLzsDeployVmArcMonitor '../../../policy/assignments/pol } // Module - Policy Assignment - Deploy-VM-Monitor-24 -module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) { +module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitor24.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitor24.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitor24.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitor24.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleVMInsightsResourceId @@ -1756,17 +1756,17 @@ module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policy } // Module - Policy Assignment - Deploy-VMSS-Monitor-24 -module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) { +module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmssMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitor24.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleChangeTrackingResourceId @@ -1817,6 +1817,22 @@ module modPolicyAssignmentLzsmDeployMdfcDefSqlAma '../../../policy/assignments/p } } +// Module - Policy Assignment - Enforce-Subnet-Private +module modPolicyAssignmentLzsEnforceSubnetPrivate '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceSubnetPrivate + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSubnetPrivate.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Enforce-GR-KeyVault module modPolicyAssignmentLzsEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 59d3e77a6..ef4ce4c5a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -15,6 +15,7 @@ parLandingZoneChildrenMgAlzDefaultsEnable | No | Assign policies to Corp & parLandingZoneMgConfidentialEnable | No | Assign policies to Confidential Corp and Online groups under Landing Zones. parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | Location of Log Analytics Workspace & Automation Account. parLogAnalyticsWorkspaceResourceId | No | Resource ID of Log Analytics Workspace. +parLogAnalyticsWorkspaceResourceCategory | No | Category of logs for supported resource logging for Log Analytics Workspace. parDataCollectionRuleVMInsightsResourceId | No | Resource ID for VM Insights Data Collection Rule. parDataCollectionRuleChangeTrackingResourceId | No | Resource ID for Change Tracking Data Collection Rule. parDataCollectionRuleMDFCSQLResourceId | No | Resource ID for MDFC SQL Data Collection Rule. @@ -101,6 +102,14 @@ Location of Log Analytics Workspace & Automation Account. Resource ID of Log Analytics Workspace. +### parLogAnalyticsWorkspaceResourceCategory + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Category of logs for supported resource logging for Log Analytics Workspace. + +- Default value: `allLogs` + ### parDataCollectionRuleVMInsightsResourceId ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -265,6 +274,9 @@ Opt out of deployment telemetry. "parLogAnalyticsWorkspaceResourceId": { "value": "" }, + "parLogAnalyticsWorkspaceResourceCategory": { + "value": "allLogs" + }, "parDataCollectionRuleVMInsightsResourceId": { "value": "" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep index 0c75e7a9a..f6132b3ce 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep @@ -68,7 +68,6 @@ var varModuleDeploymentNames = { modPolicyAssignmentLZsDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsEnableDDoSVNET: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeployAKSPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsDenyPrivEscalationAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsDenyPrivContainersAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsEnforceAKSHTTPS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -129,11 +128,6 @@ var varPolicyAssignmentDenySubnetWithoutNsg = { libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) } -var varPolicyAssignmentDeployAKSPolicy = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) -} - var varPolicyAssignmentDeployASCMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) @@ -585,25 +579,6 @@ module modPolicyAssignmentLZsDenyStorageHttp '../../../policy/assignments/policy } } -// Module - Policy Assignment - Deploy-AKS-Policy -module modPolicyAssignmentLZsDeployAKSPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployAKSPolicy - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRBACRoleDefinitionIDs.aksContributor - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - // Module - Policy Assignment - Deny-Priv-Escalation-AKS module modPolicyAssignmentLZsDenyPrivEscalationAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { scope: managementGroup(varManagementGroupIDs.landingZones) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index f847d59bb..17556fd5c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -44,6 +44,9 @@ "parLogAnalyticsWorkspaceLogRetentionInDays": { "value": "365" }, + "parLogAnalyticsWorkspaceResourceCategory": { + "value": "allLogs" + }, "parDataCollectionRuleVMInsightsResourceId": { "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt index 32fa0350e..c9f4f7f8a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt @@ -68,11 +68,6 @@ var varPolicyAssignmentDenySubnetWithoutUdr = { libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json') } -var varPolicyAssignmentDeployAKSPolicy = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json') -} - var varPolicyAssignmentDeployASCMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json') diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json deleted file mode 100644 index ce3dadeb7..000000000 --- a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "name": "Deploy-AKS-Policy", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", - "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", - "notScopes": [], - "parameters": { - "effect": { - "value": "DeployIfNotExists" - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", - "scope": null, - "enforcementMode": "Default" - }, - "location": null, - "identity": { - "type": "SystemAssigned" - } -} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index 266c9a91b..9852756b3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -143,11 +143,6 @@ var varPolicyAssignmentDenyUnmanagedDisk = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json') } -var varPolicyAssignmentDeployAKSPolicy = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json') -} - var varPolicyAssignmentDeployASCMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json') @@ -253,7 +248,7 @@ var varPolicyAssignmentDeployVMChangeTrack = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json') } -var varPolicyAssignmentDeployVMMonitoring = { +var varPolicyAssignmentDeployVMMonitor24 = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json') } @@ -263,7 +258,7 @@ var varPolicyAssignmentDeployVMSSChangeTrack = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json') } -var varPolicyAssignmentDeployVMSSMonitoring = { +var varPolicyAssignmentDeployVMSSMonitor24 = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json') } @@ -318,6 +313,11 @@ var varPolicyAssignmentEnforceSovereignGlobal = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json') } +var varPolicyAssignmentEnforceSubnetPrivate = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json') +} + var varPolicyAssignmentEnforceTLSSSLH224 = { definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json') diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json deleted file mode 100644 index 6855d8a9b..000000000 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "name": "Deploy-AKS-Policy", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2024-04-01", - "properties": { - "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", - "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", - "notScopes": [], - "parameters": { - "effect": { - "value": "DeployIfNotExists" - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", - "scope": null, - "enforcementMode": "Default" - }, - "location": null, - "identity": { - "type": "SystemAssigned" - } -} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json index bafa57058..2a578b552 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json @@ -1,5 +1,5 @@ { - "name": "Deploy-VM-Monitoring", + "name": "Deploy-VM-Monitor-24", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2024-04-01", "properties": { diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json index d3e97457f..3a4e7c9ef 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json @@ -1,5 +1,5 @@ { - "name": "Deploy-VMSS-Monitoring", + "name": "Deploy-VMSS-Monitor-24", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2024-04-01", "properties": { diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json new file mode 100644 index 000000000..faf4c9ea4 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-Subnet-Private", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2024-04-01", + "properties": { + "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", + "displayName": "Subnets should be private", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep index a05faadfd..e9de8469a 100644 --- a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -14,637 +14,637 @@ var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/ // This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_definitions\_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. var varCustomPolicyDefinitionsArray = [ { - name: 'Append-AppService-httpsonly' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json') - } - { - name: 'Append-AppService-latestTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json') - } - { - name: 'Append-KV-SoftDelete' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json') - } - { - name: 'Append-Redis-disableNonSslPort' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json') - } - { - name: 'Append-Redis-sslEnforcement' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json') - } - { - name: 'Audit-AzureHybridBenefit' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json') - } - { - name: 'Audit-Disks-UnusedResourcesCostOptimization' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json') - } - { - name: 'Audit-MachineLearning-PrivateEndpointId' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json') - } - { - name: 'Audit-PrivateLinkDnsZones' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json') - } - { - name: 'Audit-PublicIpAddresses-UnusedResourcesCostOptimization' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json') - } - { - name: 'Audit-ServerFarms-UnusedResourcesCostOptimization' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json') - } - { - name: 'Deny-AA-child-resources' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json') - } - { - name: 'Deny-APIM-TLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-APIM-TLS.json') - } - { - name: 'Deny-AppGw-Without-Tls' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGw-Without-Tls.json') - } - { - name: 'Deny-AppGW-Without-WAF' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json') - } - { - name: 'Deny-AppService-without-BYOC' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppService-without-BYOC.json') - } - { - name: 'Deny-AppServiceApiApp-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json') - } - { - name: 'Deny-AppServiceFunctionApp-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json') - } - { - name: 'Deny-AppServiceWebApp-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json') - } - { - name: 'Deny-AzFw-Without-Policy' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AzFw-Without-Policy.json') - } - { - name: 'Deny-CognitiveServices-NetworkAcls' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-NetworkAcls.json') - } - { - name: 'Deny-CognitiveServices-Resource-Kinds' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-Resource-Kinds.json') - } - { - name: 'Deny-CognitiveServices-RestrictOutboundNetworkAccess' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-RestrictOutboundNetworkAccess.json') - } - { - name: 'Deny-Databricks-NoPublicIp' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json') - } - { - name: 'Deny-Databricks-Sku' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json') - } - { - name: 'Deny-Databricks-VirtualNetwork' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json') - } - { - name: 'Deny-EH-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json') - } - { - name: 'Deny-EH-Premium-CMK' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-Premium-CMK.json') - } - { - name: 'Deny-FileServices-InsecureAuth' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json') - } - { - name: 'Deny-FileServices-InsecureKerberos' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json') - } - { - name: 'Deny-FileServices-InsecureSmbChannel' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json') - } - { - name: 'Deny-FileServices-InsecureSmbVersions' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json') - } - { - name: 'Deny-LogicApp-Public-Network' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApp-Public-Network.json') - } - { - name: 'Deny-LogicApps-Without-Https' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApps-Without-Https.json') - } - { - name: 'Deny-MachineLearning-Aks' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json') - } - { - name: 'Deny-MachineLearning-Compute-SubnetId' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json') - } - { - name: 'Deny-MachineLearning-Compute-VmSize' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json') - } - { - name: 'Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json') - } - { - name: 'Deny-MachineLearning-ComputeCluster-Scale' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json') - } - { - name: 'Deny-MachineLearning-HbiWorkspace' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json') - } - { - name: 'Deny-MachineLearning-PublicAccessWhenBehindVnet' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json') - } - { - name: 'Deny-MachineLearning-PublicNetworkAccess' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json') - } - { - name: 'Deny-MgmtPorts-From-Internet' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json') - } - { - name: 'Deny-MySql-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MySql-http.json') - } - { - name: 'Deny-PostgreSql-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json') - } - { - name: 'Deny-Private-DNS-Zones' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json') - } - { - name: 'Deny-PublicEndpoint-MariaDB' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json') - } - { - name: 'Deny-PublicIP' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicIP.json') - } - { - name: 'Deny-RDP-From-Internet' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json') - } - { - name: 'Deny-Redis-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Redis-http.json') - } - { - name: 'Deny-Service-Endpoints' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Service-Endpoints.json') - } - { - name: 'Deny-Sql-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json') - } - { - name: 'Deny-SqlMi-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json') - } - { - name: 'Deny-Storage-ContainerDeleteRetentionPolicy' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ContainerDeleteRetentionPolicy.json') - } - { - name: 'Deny-Storage-CopyScope' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CopyScope.json') - } - { - name: 'Deny-Storage-CorsRules' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CorsRules.json') - } - { - name: 'Deny-Storage-LocalUser' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-LocalUser.json') - } - { - name: 'Deny-Storage-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json') - } - { - name: 'Deny-Storage-NetworkAclsBypass' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsBypass.json') - } - { - name: 'Deny-Storage-NetworkAclsVirtualNetworkRules' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsVirtualNetworkRules.json') - } - { - name: 'Deny-Storage-ResourceAccessRulesResourceId' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesResourceId.json') - } - { - name: 'Deny-Storage-ResourceAccessRulesTenantId' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesTenantId.json') - } - { - name: 'Deny-Storage-ServicesEncryption' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ServicesEncryption.json') - } - { - name: 'Deny-Storage-SFTP' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json') - } - { - name: 'Deny-StorageAccount-CustomDomain' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json') - } - { - name: 'Deny-Subnet-Without-Nsg' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json') - } - { - name: 'Deny-Subnet-Without-Penp' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json') - } - { - name: 'Deny-Subnet-Without-Udr' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json') - } - { - name: 'Deny-UDR-With-Specific-NextHop' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json') - } - { - name: 'Deny-VNET-Peer-Cross-Sub' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json') - } - { - name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json') - } - { - name: 'Deny-VNet-Peering' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json') - } - { - name: 'DenyAction-ActivityLogs' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json') - } - { - name: 'DenyAction-DeleteResources' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DeleteResources.json') - } - { - name: 'DenyAction-DiagnosticLogs' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json') - } - { - name: 'Deploy-ASC-SecurityContacts' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json') - } - { - name: 'Deploy-Budget' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Budget.json') - } - { - name: 'Deploy-Custom-Route-Table' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json') - } - { - name: 'Deploy-DDoSProtection' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json') - } - { - name: 'Deploy-Diagnostics-AA' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json') - } - { - name: 'Deploy-Diagnostics-ACI' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json') - } - { - name: 'Deploy-Diagnostics-ACR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json') - } - { - name: 'Deploy-Diagnostics-AnalysisService' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json') - } - { - name: 'Deploy-Diagnostics-ApiForFHIR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json') - } - { - name: 'Deploy-Diagnostics-APIMgmt' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json') - } - { - name: 'Deploy-Diagnostics-ApplicationGateway' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json') - } - { - name: 'Deploy-Diagnostics-AVDScalingPlans' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json') - } - { - name: 'Deploy-Diagnostics-Bastion' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json') - } - { - name: 'Deploy-Diagnostics-CDNEndpoints' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json') - } - { - name: 'Deploy-Diagnostics-CognitiveServices' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json') - } - { - name: 'Deploy-Diagnostics-CosmosDB' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json') - } - { - name: 'Deploy-Diagnostics-Databricks' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json') - } - { - name: 'Deploy-Diagnostics-DataExplorerCluster' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json') - } - { - name: 'Deploy-Diagnostics-DataFactory' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json') - } - { - name: 'Deploy-Diagnostics-DLAnalytics' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json') - } - { - name: 'Deploy-Diagnostics-EventGridSub' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json') - } - { - name: 'Deploy-Diagnostics-EventGridSystemTopic' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json') - } - { - name: 'Deploy-Diagnostics-EventGridTopic' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json') - } - { - name: 'Deploy-Diagnostics-ExpressRoute' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json') - } - { - name: 'Deploy-Diagnostics-Firewall' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json') - } - { - name: 'Deploy-Diagnostics-FrontDoor' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json') - } - { - name: 'Deploy-Diagnostics-Function' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json') - } - { - name: 'Deploy-Diagnostics-HDInsight' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json') - } - { - name: 'Deploy-Diagnostics-iotHub' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json') - } - { - name: 'Deploy-Diagnostics-LoadBalancer' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json') - } - { - name: 'Deploy-Diagnostics-LogAnalytics' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json') - } - { - name: 'Deploy-Diagnostics-LogicAppsISE' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json') - } - { - name: 'Deploy-Diagnostics-MariaDB' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json') - } - { - name: 'Deploy-Diagnostics-MediaService' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json') - } - { - name: 'Deploy-Diagnostics-MlWorkspace' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json') - } - { - name: 'Deploy-Diagnostics-MySQL' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json') - } - { - name: 'Deploy-Diagnostics-NetworkSecurityGroups' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json') - } - { - name: 'Deploy-Diagnostics-NIC' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json') - } - { - name: 'Deploy-Diagnostics-PostgreSQL' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json') - } - { - name: 'Deploy-Diagnostics-PowerBIEmbedded' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json') - } - { - name: 'Deploy-Diagnostics-RedisCache' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json') - } - { - name: 'Deploy-Diagnostics-Relay' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json') - } - { - name: 'Deploy-Diagnostics-SignalR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json') - } - { - name: 'Deploy-Diagnostics-SQLElasticPools' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json') - } - { - name: 'Deploy-Diagnostics-SQLMI' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json') - } - { - name: 'Deploy-Diagnostics-TimeSeriesInsights' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json') - } - { - name: 'Deploy-Diagnostics-TrafficManager' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json') - } - { - name: 'Deploy-Diagnostics-VirtualNetwork' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json') - } - { - name: 'Deploy-Diagnostics-VM' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json') - } - { - name: 'Deploy-Diagnostics-VMSS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json') - } - { - name: 'Deploy-Diagnostics-VNetGW' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json') - } - { - name: 'Deploy-Diagnostics-VWanS2SVPNGW' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json') - } - { - name: 'Deploy-Diagnostics-WebServerFarm' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json') - } - { - name: 'Deploy-Diagnostics-Website' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json') - } - { - name: 'Deploy-Diagnostics-WVDAppGroup' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json') - } - { - name: 'Deploy-Diagnostics-WVDHostPools' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json') - } - { - name: 'Deploy-Diagnostics-WVDWorkspace' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json') - } - { - name: 'Deploy-FirewallPolicy' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json') - } - { - name: 'Deploy-LogicApp-TLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-LogicApp-TLS.json') - } - { - name: 'Deploy-MDFC-Arc-SQL-DCR-Association' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-SQL-DCR-Association.json') - } - { - name: 'Deploy-MDFC-Arc-Sql-DefenderSQL-DCR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-Sql-DefenderSQL-DCR.json') - } - { - name: 'Deploy-MDFC-SQL-AMA' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-AMA.json') - } - { - name: 'Deploy-MDFC-SQL-DefenderSQL-DCR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL-DCR.json') - } - { - name: 'Deploy-MDFC-SQL-DefenderSQL' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL.json') - } - { - name: 'Deploy-MySQL-sslEnforcement' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json') - } - { - name: 'Deploy-Nsg-FlowLogs-to-LA' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json') - } - { - name: 'Deploy-Nsg-FlowLogs' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json') - } - { - name: 'Deploy-PostgreSQL-sslEnforcement' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json') - } - { - name: 'Deploy-Private-DNS-Generic' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json') - } - { - name: 'Deploy-Sql-AuditingSettings' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json') - } - { - name: 'Deploy-SQL-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json') - } - { - name: 'Deploy-Sql-SecurityAlertPolicies' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json') - } - { - name: 'Deploy-Sql-Tde' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json') - } - { - name: 'Deploy-Sql-vulnerabilityAssessments_20230706' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json') - } - { - name: 'Deploy-Sql-vulnerabilityAssessments' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json') - } - { - name: 'Deploy-SqlMi-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json') - } - { - name: 'Deploy-Storage-sslEnforcement' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json') - } - { - name: 'Deploy-UserAssignedManagedIdentity-VMInsights' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-UserAssignedManagedIdentity-VMInsights.json') - } - { - name: 'Deploy-Vm-autoShutdown' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json') - } - { - name: 'Deploy-VNET-HubSpoke' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json') - } - { - name: 'Deploy-Windows-DomainJoin' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json') - } - { - name: 'Modify-NSG' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-NSG.json') - } - { - name: 'Modify-UDR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-UDR.json') - } + name: 'Append-AppService-httpsonly' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json') + } + { + name: 'Append-AppService-latestTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json') + } + { + name: 'Append-KV-SoftDelete' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json') + } + { + name: 'Append-Redis-disableNonSslPort' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json') + } + { + name: 'Append-Redis-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json') + } + { + name: 'Audit-AzureHybridBenefit' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json') + } + { + name: 'Audit-Disks-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json') + } + { + name: 'Audit-MachineLearning-PrivateEndpointId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json') + } + { + name: 'Audit-PrivateLinkDnsZones' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json') + } + { + name: 'Audit-PublicIpAddresses-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json') + } + { + name: 'Audit-ServerFarms-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json') + } + { + name: 'Deny-AA-child-resources' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json') + } + { + name: 'Deny-APIM-TLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-APIM-TLS.json') + } + { + name: 'Deny-AppGw-Without-Tls' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGw-Without-Tls.json') + } + { + name: 'Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json') + } + { + name: 'Deny-AppService-without-BYOC' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppService-without-BYOC.json') + } + { + name: 'Deny-AppServiceApiApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json') + } + { + name: 'Deny-AppServiceFunctionApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json') + } + { + name: 'Deny-AppServiceWebApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json') + } + { + name: 'Deny-AzFw-Without-Policy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AzFw-Without-Policy.json') + } + { + name: 'Deny-CognitiveServices-NetworkAcls' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-NetworkAcls.json') + } + { + name: 'Deny-CognitiveServices-Resource-Kinds' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-Resource-Kinds.json') + } + { + name: 'Deny-CognitiveServices-RestrictOutboundNetworkAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-RestrictOutboundNetworkAccess.json') + } + { + name: 'Deny-Databricks-NoPublicIp' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json') + } + { + name: 'Deny-Databricks-Sku' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json') + } + { + name: 'Deny-Databricks-VirtualNetwork' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json') + } + { + name: 'Deny-EH-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json') + } + { + name: 'Deny-EH-Premium-CMK' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-Premium-CMK.json') + } + { + name: 'Deny-FileServices-InsecureAuth' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json') + } + { + name: 'Deny-FileServices-InsecureKerberos' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json') + } + { + name: 'Deny-FileServices-InsecureSmbChannel' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json') + } + { + name: 'Deny-FileServices-InsecureSmbVersions' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json') + } + { + name: 'Deny-LogicApp-Public-Network' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApp-Public-Network.json') + } + { + name: 'Deny-LogicApps-Without-Https' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApps-Without-Https.json') + } + { + name: 'Deny-MachineLearning-Aks' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json') + } + { + name: 'Deny-MachineLearning-Compute-SubnetId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json') + } + { + name: 'Deny-MachineLearning-Compute-VmSize' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json') + } + { + name: 'Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json') + } + { + name: 'Deny-MachineLearning-ComputeCluster-Scale' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json') + } + { + name: 'Deny-MachineLearning-HbiWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json') + } + { + name: 'Deny-MachineLearning-PublicAccessWhenBehindVnet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json') + } + { + name: 'Deny-MachineLearning-PublicNetworkAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json') + } + { + name: 'Deny-MgmtPorts-From-Internet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json') + } + { + name: 'Deny-MySql-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MySql-http.json') + } + { + name: 'Deny-PostgreSql-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json') + } + { + name: 'Deny-Private-DNS-Zones' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json') + } + { + name: 'Deny-PublicEndpoint-MariaDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json') + } + { + name: 'Deny-PublicIP' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicIP.json') + } + { + name: 'Deny-RDP-From-Internet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json') + } + { + name: 'Deny-Redis-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Redis-http.json') + } + { + name: 'Deny-Service-Endpoints' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Service-Endpoints.json') + } + { + name: 'Deny-Sql-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json') + } + { + name: 'Deny-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json') + } + { + name: 'Deny-Storage-ContainerDeleteRetentionPolicy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ContainerDeleteRetentionPolicy.json') + } + { + name: 'Deny-Storage-CopyScope' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CopyScope.json') + } + { + name: 'Deny-Storage-CorsRules' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CorsRules.json') + } + { + name: 'Deny-Storage-LocalUser' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-LocalUser.json') + } + { + name: 'Deny-Storage-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json') + } + { + name: 'Deny-Storage-NetworkAclsBypass' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsBypass.json') + } + { + name: 'Deny-Storage-NetworkAclsVirtualNetworkRules' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsVirtualNetworkRules.json') + } + { + name: 'Deny-Storage-ResourceAccessRulesResourceId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesResourceId.json') + } + { + name: 'Deny-Storage-ResourceAccessRulesTenantId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesTenantId.json') + } + { + name: 'Deny-Storage-ServicesEncryption' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ServicesEncryption.json') + } + { + name: 'Deny-Storage-SFTP' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json') + } + { + name: 'Deny-StorageAccount-CustomDomain' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json') + } + { + name: 'Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json') + } + { + name: 'Deny-Subnet-Without-Penp' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json') + } + { + name: 'Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json') + } + { + name: 'Deny-UDR-With-Specific-NextHop' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json') + } + { + name: 'Deny-VNET-Peer-Cross-Sub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json') + } + { + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json') + } + { + name: 'Deny-VNet-Peering' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json') + } + { + name: 'DenyAction-ActivityLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json') + } + { + name: 'DenyAction-DeleteResources' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DeleteResources.json') + } + { + name: 'DenyAction-DiagnosticLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json') + } + { + name: 'Deploy-ASC-SecurityContacts' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json') + } + { + name: 'Deploy-Budget' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Budget.json') + } + { + name: 'Deploy-Custom-Route-Table' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json') + } + { + name: 'Deploy-DDoSProtection' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json') + } + { + name: 'Deploy-Diagnostics-AA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json') + } + { + name: 'Deploy-Diagnostics-ACI' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json') + } + { + name: 'Deploy-Diagnostics-ACR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json') + } + { + name: 'Deploy-Diagnostics-AnalysisService' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json') + } + { + name: 'Deploy-Diagnostics-ApiForFHIR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json') + } + { + name: 'Deploy-Diagnostics-APIMgmt' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json') + } + { + name: 'Deploy-Diagnostics-ApplicationGateway' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json') + } + { + name: 'Deploy-Diagnostics-AVDScalingPlans' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json') + } + { + name: 'Deploy-Diagnostics-Bastion' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json') + } + { + name: 'Deploy-Diagnostics-CDNEndpoints' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json') + } + { + name: 'Deploy-Diagnostics-CognitiveServices' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json') + } + { + name: 'Deploy-Diagnostics-CosmosDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json') + } + { + name: 'Deploy-Diagnostics-Databricks' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json') + } + { + name: 'Deploy-Diagnostics-DataExplorerCluster' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json') + } + { + name: 'Deploy-Diagnostics-DataFactory' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json') + } + { + name: 'Deploy-Diagnostics-DLAnalytics' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json') + } + { + name: 'Deploy-Diagnostics-EventGridSub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json') + } + { + name: 'Deploy-Diagnostics-EventGridSystemTopic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json') + } + { + name: 'Deploy-Diagnostics-EventGridTopic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json') + } + { + name: 'Deploy-Diagnostics-ExpressRoute' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json') + } + { + name: 'Deploy-Diagnostics-Firewall' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json') + } + { + name: 'Deploy-Diagnostics-FrontDoor' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json') + } + { + name: 'Deploy-Diagnostics-Function' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json') + } + { + name: 'Deploy-Diagnostics-HDInsight' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json') + } + { + name: 'Deploy-Diagnostics-iotHub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json') + } + { + name: 'Deploy-Diagnostics-LoadBalancer' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json') + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json') + } + { + name: 'Deploy-Diagnostics-LogicAppsISE' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json') + } + { + name: 'Deploy-Diagnostics-MariaDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json') + } + { + name: 'Deploy-Diagnostics-MediaService' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json') + } + { + name: 'Deploy-Diagnostics-MlWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json') + } + { + name: 'Deploy-Diagnostics-MySQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json') + } + { + name: 'Deploy-Diagnostics-NetworkSecurityGroups' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json') + } + { + name: 'Deploy-Diagnostics-NIC' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json') + } + { + name: 'Deploy-Diagnostics-PostgreSQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json') + } + { + name: 'Deploy-Diagnostics-PowerBIEmbedded' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json') + } + { + name: 'Deploy-Diagnostics-RedisCache' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json') + } + { + name: 'Deploy-Diagnostics-Relay' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json') + } + { + name: 'Deploy-Diagnostics-SignalR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json') + } + { + name: 'Deploy-Diagnostics-SQLElasticPools' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json') + } + { + name: 'Deploy-Diagnostics-SQLMI' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json') + } + { + name: 'Deploy-Diagnostics-TimeSeriesInsights' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json') + } + { + name: 'Deploy-Diagnostics-TrafficManager' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json') + } + { + name: 'Deploy-Diagnostics-VirtualNetwork' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json') + } + { + name: 'Deploy-Diagnostics-VM' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json') + } + { + name: 'Deploy-Diagnostics-VMSS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json') + } + { + name: 'Deploy-Diagnostics-VNetGW' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json') + } + { + name: 'Deploy-Diagnostics-VWanS2SVPNGW' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json') + } + { + name: 'Deploy-Diagnostics-WebServerFarm' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json') + } + { + name: 'Deploy-Diagnostics-Website' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json') + } + { + name: 'Deploy-Diagnostics-WVDAppGroup' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json') + } + { + name: 'Deploy-Diagnostics-WVDHostPools' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json') + } + { + name: 'Deploy-Diagnostics-WVDWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json') + } + { + name: 'Deploy-FirewallPolicy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json') + } + { + name: 'Deploy-LogicApp-TLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-LogicApp-TLS.json') + } + { + name: 'Deploy-MDFC-Arc-SQL-DCR-Association' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-SQL-DCR-Association.json') + } + { + name: 'Deploy-MDFC-Arc-Sql-DefenderSQL-DCR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-Sql-DefenderSQL-DCR.json') + } + { + name: 'Deploy-MDFC-SQL-AMA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-AMA.json') + } + { + name: 'Deploy-MDFC-SQL-DefenderSQL-DCR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL-DCR.json') + } + { + name: 'Deploy-MDFC-SQL-DefenderSQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL.json') + } + { + name: 'Deploy-MySQL-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json') + } + { + name: 'Deploy-Nsg-FlowLogs-to-LA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json') + } + { + name: 'Deploy-Nsg-FlowLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json') + } + { + name: 'Deploy-PostgreSQL-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json') + } + { + name: 'Deploy-Private-DNS-Generic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json') + } + { + name: 'Deploy-Sql-AuditingSettings' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json') + } + { + name: 'Deploy-SQL-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json') + } + { + name: 'Deploy-Sql-SecurityAlertPolicies' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json') + } + { + name: 'Deploy-Sql-Tde' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json') + } + { + name: 'Deploy-Sql-vulnerabilityAssessments_20230706' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json') + } + { + name: 'Deploy-Sql-vulnerabilityAssessments' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json') + } + { + name: 'Deploy-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json') + } + { + name: 'Deploy-Storage-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json') + } + { + name: 'Deploy-UserAssignedManagedIdentity-VMInsights' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-UserAssignedManagedIdentity-VMInsights.json') + } + { + name: 'Deploy-Vm-autoShutdown' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json') + } + { + name: 'Deploy-VNET-HubSpoke' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json') + } + { + name: 'Deploy-Windows-DomainJoin' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json') + } + { + name: 'Modify-NSG' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-NSG.json') + } + { + name: 'Modify-UDR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-UDR.json') + } ] // This variable contains a number of objects that load in the custom Azure Policy Set/Initiative Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_set_definitions\_policySetDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. @@ -1489,7 +1489,7 @@ var varCustomPolicySetDefinitionsArray = [ } { definitionReferenceId: 'defenderForCspm' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21' definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForCspm.parameters definitionGroups: [] } @@ -2321,6 +2321,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Backup-Cmk'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Deny-BotService-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-BotService-Cmk'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-CognitiveSearch-Cmk' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f' @@ -3043,10 +3049,58 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'Enforce-Guardrails-BotService' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Audit-BotService-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Audit-BotService-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Isolated-Mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Isolated-Mode'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Valid-Uri' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Valid-Uri'].parameters + definitionGroups: [] + } + ] + } { name: 'Enforce-Guardrails-CognitiveServices' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-Cognitive-Services-Resource-Logs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Aine-Cognitive-Services-Resource-Logs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Customer-Storage' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-Cognitive-Services-Customer-Storage'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-Cognitive-Services-Managed-Identity'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-CognitiveSearch-SKU' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83' @@ -3059,6 +3113,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-CongitiveSearch-LocalAuth'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-Cognitive-Services-Local-Auth'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Modify-Cognitive-Services-Public-Network-Access' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c' @@ -3701,6 +3761,60 @@ var varCustomPolicySetDefinitionsArray = [ name: 'Enforce-Guardrails-MachineLearning' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-ML-Resource-Logs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Aine-ML-Resource-Logs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-ML-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Audit-ML-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-ML-Virtual-Network' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Audit-ML-Virtual-Network'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Module' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Module'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Python' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Python'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Registries' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Registries'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Registry-Deploy' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Registry-Deploy'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Idle-Shutdown' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Idle-Shutdown'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Legacy-Mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Legacy-Mode'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-ML-Local-Auth' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f' @@ -3893,6 +4007,24 @@ var varCustomPolicySetDefinitionsArray = [ name: 'Enforce-Guardrails-OpenAI' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-AzureAI-Diag-Settings' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Aine-AzureAI-Diag-Settings'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-AzureAI-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Audit-AzureAI-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AzureAI-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-AzureAI-Network-Access'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-Cognitive-Services-Cust-Storage' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515' @@ -3923,6 +4055,18 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-OpenAi-OutboundNetworkAccess'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Dine-AzureAI-Local-Key' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Dine-AzureAI-Local-Key'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-AzureAI-Local-Key2' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Dine-AzureAI-Local-Key2'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555' @@ -4274,6 +4418,8 @@ var varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters = loadJsonCon var varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json') +var varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json') + var varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json') var varPolicySetDefinitionEsEnforceGuardrailsComputeParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json') @@ -4320,6 +4466,7 @@ var varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters = loadJsonContent var varPolicySetDefinitionEsEnforceGuardrailsVirtualDesktopParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.parameters.json') + // Customer Usage Attribution Id var varCuaid = '2b136786-9881-412e-84ba-f4c2822e1ac9' diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json index 628ae5b66..547cca8cd 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json @@ -9,7 +9,7 @@ "displayName": "AppService append sites with minimum TLS version to enforce.", "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "App Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -35,6 +35,7 @@ "type": "String", "defaultValue": "1.2", "allowedValues": [ + "1.3", "1.2", "1.0", "1.1" @@ -54,7 +55,7 @@ }, { "field": "Microsoft.Web/sites/config/minTlsVersion", - "notEquals": "[parameters('minTlsVersion')]" + "less": "[parameters('minTlsVersion')]" } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json index 817426388..aac286f37 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cache", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -56,7 +56,7 @@ "anyOf": [ { "field": "Microsoft.Cache/Redis/minimumTlsVersion", - "notequals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json index 5050e82df..e63ca602b 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json @@ -73,7 +73,7 @@ "privatelink.gremlin.cosmos.azure.com", "privatelink.guestconfiguration.azure.com", "privatelink.his.arc.azure.com", - "privatelink.dp.kubernetesconfiguration.azure.com", + "privatelink.kubernetesconfiguration.azure.com", "privatelink.managedhsm.azure.net", "privatelink.mariadb.database.azure.com", "privatelink.media.azure.net", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json index a1e8b33e7..6f7e7a29e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json @@ -9,7 +9,7 @@ "displayName": "Event Hub namespaces should use a valid TLS version", "description": "Event Hub namespaces should use a valid TLS version.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Hub", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -52,7 +52,7 @@ "anyOf": [ { "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", - "notEquals": "[parameters('minTlsVersion')]" + "less": "[parameters('minTlsVersion')]" }, { "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json index a8da04389..1c98aa2b4 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json @@ -9,7 +9,7 @@ "displayName": "MySQL database servers enforce SSL connections.", "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -66,7 +66,7 @@ }, { "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json index 73d491ad7..70055987b 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json @@ -9,7 +9,7 @@ "displayName": "Azure Cache for Redis only secure connections should be enabled", "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cache", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -41,7 +41,7 @@ "1.0" ], "metadata": { - "displayName": "Select minumum TLS version for Azure Cache for Redis.", + "displayName": "Select minimum TLS version for Azure Cache for Redis.", "description": "Select minimum TLS version for Azure Cache for Redis." } } @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Cache/Redis/minimumTlsVersion", - "notequals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json index f859443e7..f9890d9f4 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json @@ -9,7 +9,7 @@ "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version", "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Sql/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json index 951d1ac18..d1d555201 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json @@ -7,9 +7,9 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version", - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json index d9d6dd82c..47cf20289 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json @@ -9,7 +9,7 @@ "displayName": "Deny vNet peering cross subscription.", "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", "metadata": { - "version": "1.0.1", + "version": "1.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -31,6 +31,14 @@ "Disabled" ], "defaultValue": "Deny" + }, + "allowedVnets": { + "type": "Array", + "metadata": { + "displayName": "Allowed vNets to peer with", + "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" + }, + "defaultValue": [] } }, "policyRule": { @@ -41,8 +49,16 @@ "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" }, { - "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", - "notcontains": "[subscription().id]" + "allOf": [ + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notIn": "[parameters('allowedVnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notLike": "[concat(subscription().id, '/*')]" + } + ] } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json index 3dca74215..180fb74d1 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json index 3cf45b5ec..e5a74136f 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", - "notEquals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json index caf64db9f..580c205cc 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json @@ -9,7 +9,7 @@ "displayName": "Deploy-Private-DNS-Generic", "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.", "metadata": { - "version": "1.0.0", + "version": "2.0.0", "category": "Networking", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -34,8 +34,8 @@ "privateDnsZoneId": { "type": "String", "metadata": { - "displayName": "Private DNS Zone ID for Paas services", - "description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.", + "displayName": "Private DNS Zone ID for PaaS services", + "description": "The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.", "strongType": "Microsoft.Network/privateDnsZones", "assignPermissions": true } @@ -61,11 +61,24 @@ "description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists" }, "defaultValue": "PT10M" + }, + "location": { + "type": "String", + "metadata": { + "displayName": "Location (Specify the Private Endpoint location)", + "description": "Specify the Private Endpoint location", + "strongType": "location" + }, + "defaultValue": "northeurope" } }, "policyRule": { "if": { "allOf": [ + { + "field": "location", + "equals": "[parameters('location')]" + }, { "field": "type", "equals": "Microsoft.Network/privateEndpoints" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json index 48909e0ee..51323d520 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json @@ -9,7 +9,7 @@ "displayName": "SQL servers deploys a specific min TLS version requirement.", "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -54,7 +54,7 @@ }, { "field": "Microsoft.Sql/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json index a2e4c61ce..fa69bf9b3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json @@ -9,7 +9,7 @@ "displayName": "SQL managed instances deploy a specific min TLS version requirement.", "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.2.0", + "version": "1.3.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -54,7 +54,7 @@ }, { "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json index 6e0531aa6..5b624d427 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", "metadata": { - "version": "1.2.0", + "version": "1.3.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -60,7 +60,7 @@ }, { "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", - "notEquals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt index f70087457..127a76c21 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt @@ -839,7 +839,7 @@ var varCustomPolicySetDefinitionsArray = [ } { definitionReferenceId: 'defenderForCspm' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21' definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForCspm.parameters definitionGroups: [] } @@ -1671,6 +1671,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Backup-Cmk'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Deny-BotService-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-BotService-Cmk'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-CognitiveSearch-Cmk' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f' @@ -2393,10 +2399,58 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'Enforce-Guardrails-BotService' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Audit-BotService-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Audit-BotService-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Isolated-Mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Isolated-Mode'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Valid-Uri' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Valid-Uri'].parameters + definitionGroups: [] + } + ] + } { name: 'Enforce-Guardrails-CognitiveServices' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-Cognitive-Services-Resource-Logs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Aine-Cognitive-Services-Resource-Logs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Customer-Storage' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-Cognitive-Services-Customer-Storage'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-Cognitive-Services-Managed-Identity'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-CognitiveSearch-SKU' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83' @@ -2409,6 +2463,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-CongitiveSearch-LocalAuth'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-Cognitive-Services-Local-Auth'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Modify-Cognitive-Services-Public-Network-Access' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c' @@ -3051,6 +3111,60 @@ var varCustomPolicySetDefinitionsArray = [ name: 'Enforce-Guardrails-MachineLearning' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-ML-Resource-Logs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Aine-ML-Resource-Logs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-ML-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Audit-ML-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-ML-Virtual-Network' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Audit-ML-Virtual-Network'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Module' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Module'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Python' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Python'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Registries' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Registries'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Registry-Deploy' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Registry-Deploy'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Idle-Shutdown' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Idle-Shutdown'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Legacy-Mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Legacy-Mode'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-ML-Local-Auth' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f' @@ -3243,6 +3357,24 @@ var varCustomPolicySetDefinitionsArray = [ name: 'Enforce-Guardrails-OpenAI' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-AzureAI-Diag-Settings' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Aine-AzureAI-Diag-Settings'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-AzureAI-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Audit-AzureAI-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AzureAI-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-AzureAI-Network-Access'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-Cognitive-Services-Cust-Storage' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515' @@ -3273,6 +3405,18 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-OpenAi-OutboundNetworkAccess'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Dine-AzureAI-Local-Key' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Dine-AzureAI-Local-Key'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-AzureAI-Local-Key2' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Dine-AzureAI-Local-Key2'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555' @@ -3624,6 +3768,8 @@ var varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters = loadJsonCon var varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json') +var varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json') + var varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json') var varPolicySetDefinitionEsEnforceGuardrailsComputeParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json') diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json index ffe9b7f9d..a01eeaf9e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "1.0.0", + "version": "2.1.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-MDFC-Config", @@ -59,6 +59,18 @@ "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." } }, + "createResourceGroup": { + "type": "Boolean", + "metadata": { + "displayName": "Create resource group", + "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group." + }, + "defaultValue": true, + "allowedValues": [ + true, + false + ] + }, "enableAscForCosmosDbs": { "type": "String", "allowedValues": [ @@ -355,7 +367,7 @@ }, { "policyDefinitionReferenceId": "defenderForCspm", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21", "parameters": { "effect": { "value": "[[parameters('enableAscForCspm')]" @@ -386,6 +398,9 @@ "resourceGroupLocation": { "value": "[[parameters('ascExportResourceGroupLocation')]" }, + "createResourceGroup": { + "value": "[[parameters('createResourceGroup')]" + }, "workspaceResourceId": { "value": "[[parameters('logAnalytics')]" } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json index 5408895e1..49c2d3bc2 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json @@ -7,6 +7,9 @@ "resourceGroupLocation": { "value": "[[parameters('ascExportResourceGroupLocation')]" }, + "createResourceGroup": { + "value": "[[parameters('createResourceGroup')]" + }, "workspaceResourceId": { "value": "[[parameters('logAnalytics')]" } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json index 78db42184..1029fde0f 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json @@ -1430,13 +1430,13 @@ "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9", "parameters": { - "privateDnsZoneIdForGuestConfiguration": { + "privateDnsZoneIDForGuestConfiguration": { "value": "[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]" }, - "privateDnsZoneIdForHybridResourceProvider": { + "privateDnsZoneIDForHybridResourceProvider": { "value": "[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]" }, - "privateDnsZoneIdForKubernetesConfiguration": { + "privateDnsZoneIDForKubernetesConfiguration": { "value": "[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]" }, "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json index e63e3e07e..9a498b1f3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json @@ -31,13 +31,13 @@ }, "DINE-Private-DNS-Azure-Arc": { "parameters": { - "privateDnsZoneIdForGuestConfiguration": { + "privateDnsZoneIDForGuestConfiguration": { "value": "[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]" }, - "privateDnsZoneIdForHybridResourceProvider": { + "privateDnsZoneIDForHybridResourceProvider": { "value": "[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]" }, - "privateDnsZoneIdForKubernetesConfiguration": { + "privateDnsZoneIDForKubernetesConfiguration": { "value": "[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]" }, "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json index 926070f11..fa918cd44 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json @@ -63,7 +63,7 @@ "effect": { "value": "[[parameters('effect')]" }, - "CheckLockedImmutabiltyOnly": { + "checkLockedImmutabiltyOnly": { "value": "[[parameters('checkLockedImmutabilityOnly')]" } }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json index 309234ee1..fda226ea8 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json @@ -4,7 +4,7 @@ "effect": { "value": "[[parameters('effect')]" }, - "CheckLockedImmutabiltyOnly": { + "checkLockedImmutabiltyOnly": { "value": "[[parameters('checkLockedImmutabilityOnly')]" } } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json index cbe71336a..9ad7af052 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "3.0.0", + "version": "3.1.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -329,6 +329,18 @@ "Deny", "Disabled" ] + }, + "botServiceCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] } }, "policyDefinitions": [ @@ -621,6 +633,16 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f", + "parameters": { + "effect": { + "value": "[[parameters('botServiceCmk')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json index bb398c41e..fb13a9bb8 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json @@ -69,6 +69,13 @@ } } }, + "Deny-BotService-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('botServiceCmk')]" + } + } + }, "Deny-CognitiveSearch-Cmk": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json new file mode 100644 index 000000000..2585627fa --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json @@ -0,0 +1,107 @@ +{ + "name": "Enforce-Guardrails-BotService", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Bot Service", + "description": "This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Bot Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "botServiceValidUri": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] + }, + "botServiceIsolatedMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] + }, + "botServiceLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "botServicePrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-BotService-Valid-Uri", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a", + "parameters": { + "effect": { + "value": "[[parameters('botServiceValidUri')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Isolated-Mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e", + "parameters": { + "effect": { + "value": "[[parameters('botServiceIsolatedMode')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a", + "parameters": { + "effect": { + "value": "[[parameters('botServiceLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-BotService-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e", + "parameters": { + "effect": { + "value": "[[parameters('botServicePrivateLink')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json new file mode 100644 index 000000000..1833e1f07 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json @@ -0,0 +1,30 @@ +{ + "Audit-BotService-Private-Link": { + "parameters": { + "effect": { + "value": "[[parameters('botServicePrivateLink')]" + } + } + }, + "Deny-BotService-Isolated-Mode": { + "parameters": { + "effect": { + "value": "[[parameters('botServiceIsolatedMode')]" + } + } + }, + "Deny-BotService-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('botServiceLocalAuth')]" + } + } + }, + "Deny-BotService-Valid-Uri": { + "parameters": { + "effect": { + "value": "[[parameters('botServiceValidUri')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json index e468d4919..8f03d6d89 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cognitive Services", "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -44,6 +44,14 @@ "Disabled" ] }, + "cognitiveServicesLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, "modifyCognitiveSearchPublicEndpoint": { "type": "string", "defaultValue": "Modify", @@ -59,6 +67,32 @@ "Modify", "Disabled" ] + }, + "cognitiveServicesManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesCustomerStorage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesResourceLogs": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] } }, "policyDefinitions": [ @@ -111,6 +145,46 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesManagedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Customer-Storage", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCustomerStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-Cognitive-Services-Resource-Logs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesResourceLogs')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json index df234f43e..773d67c0d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json @@ -1,4 +1,25 @@ { + "Aine-Cognitive-Services-Resource-Logs": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesResourceLogs')]" + } + } + }, + "Deny-Cognitive-Services-Customer-Storage": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCustomerStorage')]" + } + } + }, + "Deny-Cognitive-Services-Managed-Identity": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesManagedIdentity')]" + } + } + }, "Deny-CognitiveSearch-SKU": { "parameters": { "effect": { @@ -13,6 +34,13 @@ } } }, + "Modify-Cognitive-Services-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesLocalAuth')]" + } + } + }, "Modify-Cognitive-Services-Public-Network-Access": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json index 7691b68e1..fec73e728 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Azure Key Vault", "description": "Enforce recommended guardrails for Azure Key Vault.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -236,8 +236,11 @@ "type": "string", "defaultValue": "Disabled", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json index 9ea87816f..03888cfeb 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Kubernetes", "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Kubernetes", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -81,8 +81,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, @@ -90,8 +93,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, @@ -99,8 +105,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, @@ -117,8 +126,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, @@ -126,8 +138,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, @@ -144,8 +159,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json index e723eeebe..b5afa0fd9 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Machine Learning", "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -59,6 +59,80 @@ "Modify", "Disabled" ] + }, + "mlIdleShutdown": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlVirtualNetwork": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlLegacyMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlPrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlResourceLogs": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "mlAllowedRegistryDeploy": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Deny", + "Disabled" + ] + }, + "mlAllowedModule": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] + }, + "mlAllowedPython": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] + }, + "mlAllowedRegistries": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] } }, "policyDefinitions": [ @@ -111,6 +185,96 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Idle-Shutdown", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449", + "parameters": { + "effect": { + "value": "[[parameters('mlIdleShutdown')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-ML-Virtual-Network", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1", + "parameters": { + "effect": { + "value": "[[parameters('mlVirtualNetwork')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Legacy-Mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7", + "parameters": { + "effect": { + "value": "[[parameters('mlLegacyMode')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-ML-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b", + "parameters": { + "effect": { + "value": "[[parameters('mlPrivateLink')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-ML-Resource-Logs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6", + "parameters": { + "effect": { + "value": "[[parameters('mlResourceLogs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Registry-Deploy", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90", + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedRegistryDeploy')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Module", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003", + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedModule')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Python", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752", + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedPython')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Registries", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003", + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedRegistries')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json index fb3ec82cd..609cf7a81 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json @@ -1,4 +1,67 @@ { + "Aine-ML-Resource-Logs": { + "parameters": { + "effect": { + "value": "[[parameters('mlResourceLogs')]" + } + } + }, + "Audit-ML-Private-Link": { + "parameters": { + "effect": { + "value": "[[parameters('mlPrivateLink')]" + } + } + }, + "Audit-ML-Virtual-Network": { + "parameters": { + "effect": { + "value": "[[parameters('mlVirtualNetwork')]" + } + } + }, + "Deny-ML-Allowed-Module": { + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedModule')]" + } + } + }, + "Deny-ML-Allowed-Python": { + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedPython')]" + } + } + }, + "Deny-ML-Allowed-Registries": { + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedRegistries')]" + } + } + }, + "Deny-ML-Allowed-Registry-Deploy": { + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedRegistryDeploy')]" + } + } + }, + "Deny-ML-Idle-Shutdown": { + "parameters": { + "effect": { + "value": "[[parameters('mlIdleShutdown')]" + } + } + }, + "Deny-ML-Legacy-Mode": { + "parameters": { + "effect": { + "value": "[[parameters('mlLegacyMode')]" + } + } + }, "Deny-ML-Local-Auth": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json index 3ecf3e359..8b9a3d78c 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Network and Networking services", "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -56,7 +56,12 @@ }, "vnetModifyDdos": { "type": "string", - "defaultValue": "Modify" + "defaultValue": "Modify", + "allowedValues": [ + "Audit", + "Modify", + "Disabled" + ] }, "ddosPlanResourceId": { "type": "string", @@ -229,9 +234,8 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ - "Audit", - "Deny", - "Disabled" + "Allow", + "Deny" ] }, "modifyNsgRuleProtocol": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json index 34e8b5ce8..d0d071930 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -70,6 +70,47 @@ "Deny", "Disabled" ] + }, + "azureAiNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "azureAiPrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "azureAiDisableLocalKey": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "azureAiDisableLocalKey2": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "azureAiDiagSettings": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] } }, "policyDefinitions": [ @@ -132,6 +173,56 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AzureAI-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "parameters": { + "effect": { + "value": "[[parameters('azureAiNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-AzureAI-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782", + "parameters": { + "effect": { + "value": "[[parameters('azureAiPrivateLink')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544", + "parameters": { + "effect": { + "value": "[[parameters('azureAiDisableLocalKey')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30", + "parameters": { + "effect": { + "value": "[[parameters('azureAiDisableLocalKey2')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-AzureAI-Diag-Settings", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb", + "parameters": { + "effect": { + "value": "[[parameters('azureAiDiagSettings')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json index 3281f8172..944dce77e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json @@ -1,4 +1,25 @@ { + "Aine-AzureAI-Diag-Settings": { + "parameters": { + "effect": { + "value": "[[parameters('azureAiDiagSettings')]" + } + } + }, + "Audit-AzureAI-Private-Link": { + "parameters": { + "effect": { + "value": "[[parameters('azureAiPrivateLink')]" + } + } + }, + "Deny-AzureAI-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('azureAiNetworkAccess')]" + } + } + }, "Deny-Cognitive-Services-Cust-Storage": { "parameters": { "effect": { @@ -34,6 +55,20 @@ } } }, + "Dine-AzureAI-Local-Key": { + "parameters": { + "effect": { + "value": "[[parameters('azureAiDisableLocalKey')]" + } + } + }, + "Dine-AzureAI-Local-Key2": { + "parameters": { + "effect": { + "value": "[[parameters('azureAiDisableLocalKey2')]" + } + } + }, "Modify-Cognitive-Services-Local-Auth": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json index 160708a26..889d0f6c3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Synapse workspaces", "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Synapse", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -65,7 +65,6 @@ "defaultValue": "Audit", "allowedValues": [ "Audit", - "Deny", "Disabled" ] },