Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for updated policy in Deploy-SQL-Security #1654

Merged
merged 9 commits into from
May 29, 2024
Merged
1 change: 1 addition & 0 deletions docs/wiki/ALZ-Deprecated-Services.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ Policies being deprecated:
| Deploy SQL Database Vulnerability Assessments<br>ID: [`Deploy-Sql-vulnerabilityAssessments`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html) | [`Deploy-Sql-vulnerabilityAssessments_20230706`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html) | Custom policy replaced by updated custom policy providing bug fix |
| Deploy Microsoft Defender for Cloud configuration<br>ID: [`Deploy-MDFC-Config`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) | [`Deploy-MDFC-Config_20240319`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) | Custom initiative replaced by updated custom initiative due to breaking changes |
| Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit<br>ID: [`Enforce-EncryptTransit`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) | [`Enforce-EncryptTransit_20240509`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) | Custom initiative replaced by updated custom initiative due to breaking changes |
| Deploy SQL Database built-in SQL security configuration<br>ID: [`Deploy-SQL-Security`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-SQL-Security.html) | [`Deploy-SQL-Security_20240529`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-SQL-Security_20240529.html) | Custom initiative replaced by updated custom initiative due to breaking changes |

>IMPORTANT: note that we have deprecated ALL ALZ custom Diagnostic Setting features as part of Azure Landing Zones, which includes the initiatives and all 53 policies. These are being deprecated in favor of using (and assigning) the built-in initiative [Enable allLogs category group resource logging for supported resources to Log Analytics](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html)

Expand Down
122 changes: 62 additions & 60 deletions eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,14 @@
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Deploy SQL Database built-in SQL security configuration",
"description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment",
"displayName": "[Deprecated]: Deploy SQL Database built-in SQL security configuration",
"description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html",
"metadata": {
"version": "1.0.0",
"version": "1.0.0-deprecated",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"deprecated": true,
"supersededBy": "Deploy-Sql-Security_20240529",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
Expand Down Expand Up @@ -114,7 +116,7 @@
},
{
"policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments",
"parameters": {
"effect": {
"value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
{
"name": "Deploy-Sql-Security_20240529",
"type": "Microsoft.Authorization/policySetDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Deploy SQL Database built-in SQL security configuration",
"description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment",
"metadata": {
"version": "1.0.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"replacesPolicy": "Deploy-Sql-Security",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"vulnerabilityAssessmentsEmail": {
"metadata": {
"description": "The email address to send alerts",
"displayName": "The email address to send alerts"
},
"type": "Array"
},
"vulnerabilityAssessmentsStorageID": {
"metadata": {
"description": "The storage account ID to store assessments",
"displayName": "The storage account ID to store assessments"
},
"type": "String"
},
"SqlDbTdeDeploySqlSecurityEffect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Deploy SQL Database Transparent Data Encryption ",
"description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment"
}
},
"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts",
"description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration"
}
},
"SqlDbAuditingSettingsDeploySqlSecurityEffect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Deploy SQL database auditing settings",
"description": "Deploy auditing settings to SQL Database when it not exist in the deployment"
}
},
"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Deploy SQL Database vulnerability Assessments",
"description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters"
}
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f",
"parameters": {
"effect": {
"value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies",
"parameters": {
"effect": {
"value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings",
"parameters": {
"effect": {
"value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706",
"parameters": {
"effect": {
"value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]"
},
"vulnerabilityAssessmentsEmail": {
"value": "[[parameters('vulnerabilityAssessmentsEmail')]"
},
"vulnerabilityAssessmentsStorageID": {
"value": "[[parameters('vulnerabilityAssessmentsStorageID')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
}
1 change: 1 addition & 0 deletions src/templates/initiatives.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ var loadPolicySetDefinitions = {
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json')
Expand Down
Loading