Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Feature: Workload Specific Compliance #1622

Merged
merged 155 commits into from
May 13, 2024
Merged

New Feature: Workload Specific Compliance #1622

merged 155 commits into from
May 13, 2024

Conversation

Springstone
Copy link
Member

@Springstone Springstone commented Apr 22, 2024
edited
Loading

Overview/Summary

This pull request includes significant updates to the Azure Landing Zones (ALZ) policy and the ALZ Portal accelerator. The changes aim to provide additional compliance controls for specific workloads, which are often required by highly regulated industries.

Major changes include:

Updates to .github/workflows/update-portal.yml:

  • Added a new job to build initiatives from the src/templates/initiatives.bicep file and output to ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json.

Additions to docs/wiki/ALZ-Policies-Extra.md:

  • Added a new section "ALZ Policies - Extra" that provides information on additional policies not assigned by default or covered in the core ALZ Policies documentation. The section includes a list of policies and their descriptions.
  • Introduced a new "Workload Specific Compliance" section that provides additional initiatives to enhance the security and compliance posture of the Azure Landing Zones. The section includes a list of initiative IDs, their names, descriptions, and the number of policies.

Updates to docs/wiki/Whats-new.md:

  • Added a note about the missed Q3 timelines and the reasons for the delay. Also, provided information on the major update to the ALZ Policy and the addition of the "Workload Specific Compliance" section to the ALZ Portal accelerator.
  • Included a list of new custom initiatives added to support key Azure workloads/services, enhancements to existing initiatives, and new custom policies added for various workloads.
  • Updated the "Deploy-MDFC-Config" for Defender for APIs, which now requires a sub plan to be specified.

Updates to ALZ Portal accelerator:

  • docs/wiki/Whats-new.md: Added a new "Workload Specific Compliance" section to the ALZ Portal accelerator. This new section allows users to apply compliance policies to specific workloads like SQL, Storage, etc. These additional compliance controls are often required by highly regulated industries like financial services and healthcare.

Updates to Defender for APIs:

  • docs/wiki/Whats-new.md: Updated the Deploy-MDFC-Config for Defender for APIs, which now requires a sub-plan to be specified. The default sub-plan is "P1", and costs will only be incurred once an API has been onboarded to Defender for APIs. Users are advised to review Defender for API plans as they relate to their environment and adjust the sub-plan as needed.

Updates to documentation:

  • .github/workflows/update-portal.yml: Added a new step to the workflow to update initiatives in the jobs: section.
  • docs/wiki/ALZ-Policies-Extra.md: Added a new file to describe additional policies that are not assigned by default or covered in the core ALZ Policies documentation. This file provides guidance on how to handle certain situations and includes a detailed list of policies and initiatives.

Testing Evidence

image

Testing URLs

Azure Public

Deploy To Azure

As part of this Pull Request I have

  • Checked for duplicate Pull Requests
  • Associated it with relevant issues, for tracking and closure.
  • Ensured my code/branch is up-to-date with the latest changes in the main branch
  • Performed testing and provided evidence.
  • Ensured contribution guidance is followed.
  • Updated relevant and associated documentation.
  • Updated the "What's New?" wiki page (located: /docs/wiki/whats-new.md)

@Springstone
Add FSI specific policies
196bdd0
@Springstone
Add Deny-CognitiveServices-RestrictOutboundNetworkAccess policy defin…
a1fdff3 
…ition
@Springstone
Add FSI specific policies
97db4cb
@Springstone
Add FSI specific initiative policy set definition
15610d5
@Springstone
Add FSI specific initiative policies for App Services
ecdae38
@Springstone
Add aaModifyPublicNetworkAccess parameter to Deny-PublicPaaSEndpoints…
be7bc0d 
… policy set definition
@Springstone
Add policy definitions for Cognitive Search and Automation
4032cb7
@Springstone
Update policy definitions for Deny-PublicPaaSEndpoints and Enforce-En…
a449bff 
…cryption-CMK
@Springstone
Update policy set definitions for Compute and Container Apps
97d4c06
@Springstone
Add new policy set definitions for Enforce-Guardrails-CosmosDb, Enfor…
7f35801 
…ce-Guardrails-DataExplorer, and Enforce-Guardrails-DataFactory. Update allowed values for adxCmk and adfCmk. Update allowed values for containerRegistryUnrestrictedNetworkAccess, containerRegistryRepositoryToken, containerRegistryModifyRepositoryToken, containerRegistryLocalAuth, containerRegistryModifyLocalAuth, containerRegistryExports, containerRegistryAnAuth, containerRegistryModifyAnAuth, containerRegistrySkuPrivateLink, containerRegistryArmAudience, and containerRegistryModifyArmAudience.
@Springstone
Update policy definitions for Event Hub encryption
f2de5cd
@Springstone
Update Enforce-Encryption-CMK policy set definition version and name
7147bb3
@Springstone
Add new policySetDefinitions for KeyVault guardrails
64eddf4
@Springstone
Remove metadata and update groupNames in policySetDefinitions
50b18c5
@Springstone
Add ESLZ custom initiatives
6703c5e
@Springstone
Update policy and initiative files
ec12be6
@Springstone
Add FSI specific policy set definitions for Kubernetes, Machine Learn…
6ab4bfb 
…ing, MySQL, Network, OpenAI, and PostgreSQL
@Springstone
Add policy set definition for Service Bus and update policy set defin…
f321e00 
…itions for SQL
@Springstone
Add policy set definitions for SQL and Storage
22e017d
@Springstone
Add policy set definition for Enforce-Guardrails-Synapse.json
aa7da20
@Springstone
Update policy and initiative files
dd098a5
@Springstone
Update policy set definitions for ESLZ Arm template and Enforce-Encry…
c7f60e5 
…ption-CMK
@Springstone
Update policy set definitions for Enforce-Encryption-CMK.json, Enforc…
97999e3 
…e-EncryptTransit.json, Enforce-Guardrails-Network.json, and Enforce-Guardrails-OpenAI.json
@Springstone
Update policy set definitions for Enforce-Guardrails-CosmosDb.json, E…
90b5f3a 
…nforce-Guardrails-Automation.json, Enforce-Guardrails-DataExplorer.json, Enforce-Guardrails-DataFactory.json, and Enforce-Guardrails-MachineLearning.json
@Springstone
Update policy set definitions for Enforce-Guardrails-KeyVault-Sup.jso…
d6bd94f 
…n and Enforce-Guardrails-KeyVault.json
@Springstone
Update ALZ Policies documentation and ESLZ Arm template
969a8be
@Springstone
Update mdfcConfiguration.json description for resource group name
2791ffa
@Springstone
Update policy set definitions for ESLZ Arm template and Enforce-Encry…
0d575d4 
…ption-CMK
@Springstone
Update policy set definitions for Enforce-Guardrails-ServiceBus.json
684a4e1
@Springstone
.
501f4f9
@Springstone
Copy link
Member Author

Great work here @Springstone, awesome, awesome work.

Other comments that arent applicable to files:

  1. Have we added metadata.alzVariant for policy definitions to:

    • Pester Tests
    • Contribution Guides

  2. Are we adding tests for all the Deny assignments, into the testing framework that you built?

  3. In the new definitions added should the properties.mode be set to all instead of indexed as per https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure-basics#mode

  4. Do we need to add the properties.version to all our policy definitions now?

  5. Address "secure-by-default" definition concerns and update all policies based on outcome etc.

Addressed all the questions here, and created a user story to create additional Pester tests for the new Deny custom policies we're adding in this PR.

@Springstone Springstone requested a review from jtracey93 May 10, 2024 11:26
jtracey93
jtracey93 requested changes May 13, 2024
View reviewed changes
Copy link
Collaborator

@jtracey93 jtracey93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple of bits and we should be good

docs/wiki/ALZ-Policies-Extra.md Outdated Show resolved Hide resolved
src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json Outdated Show resolved Hide resolved
@Springstone @jtracey93
Update docs/wiki/ALZ-Policies-Extra.md
d476a25 
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
@jtracey93 jtracey93 merged commit 0074785 into Azure:policy-refresh-q3fy24 May 13, 2024
2 of 4 checks passed
@Springstone Springstone deleted the FSI branch May 13, 2024 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtracey93 jtracey93 jtracey93 approved these changes

Assignees
No one assigned
Labels
Area: Accelerator ⚡ Issues / PR's related to Accelerators Area: Policy 📝 Issues / PR's related to Policy PR: Safe to test 🧪 PRs can run more advanced tests that may deploy or access environments
Projects
None yet
Milestone
policy-refresh-fy24-h2
Development

Successfully merging this pull request may close these issues.
2 participants
@Springstone @jtracey93