diff --git a/.github/workflows/update-portal.yml b/.github/workflows/update-portal.yml index 0185b4ae84..116bb686fd 100644 --- a/.github/workflows/update-portal.yml +++ b/.github/workflows/update-portal.yml @@ -80,6 +80,9 @@ jobs: - name: Update policies run: bicep build ./src/templates/policies.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/policies.json + - name: Update policy set definitions (initiatives) + run: bicep build ./src/templates/initiatives.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json + - name: Update roles run: bicep build ./src/templates/roles.bicep --outfile ./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json diff --git a/docs/wiki/ALZ-Contribution-Guide.md b/docs/wiki/ALZ-Contribution-Guide.md index 9993df9ca8..f412ffcaab 100644 --- a/docs/wiki/ALZ-Contribution-Guide.md +++ b/docs/wiki/ALZ-Contribution-Guide.md @@ -197,7 +197,7 @@ Policy versioning follows the same protocol as built-in policies. More informati For policy deprecation, the process is documented in the [Azure Landing Zones - Deprecating Policies](./ALZ-Deprecated-Services) page. -If a policy is part of an initiative, references to policies that are being deprecated should be removed. Policy initiatives are located in the [policySetDefinitions](https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization/policySetDefinitions/) folder. To find out if a policy is part of an initiative it is recommended to look up the policy definition in [AzAdvertiser](http://azadvertizer.com/) and check for association with initiatives. When identified, go into the necessary initiative and remove references to the definition. Locate the policy definition in the parameters of the initiative and remove reference: +If a policy is part of an initiative, references to policies that are being deprecated should be removed. Policy initiatives are located in the [policySetDefinitions](https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization/policySetDefinitions/) folder. To find out if a policy is part of an initiative it is recommended to look up the policy definition in [AzAdvertizer](http://azadvertizer.com/) and check for association with initiatives. When identified, go into the necessary initiative and remove references to the definition. Locate the policy definition in the parameters of the initiative and remove reference: ![Example policy def in initiative](media/example-def-in-init.png) @@ -231,7 +231,7 @@ Policies in `eslzArm.json` file will also need updating if wanting to assign a n The portal reference implementation is a popular UI driven reference implementation for Azure landing zones, and is maintained as part of this repository. It is a great way to get started with Azure landing zones, and is a great way to learn about the underlying Azure landing zone guidance. -When creating new policies that will be assigned by default by the portal reference architecture you are required to also include appropriate information and options in the portal experience (`eslzArm/eslz-portal.json`). Please do include appropriate selectors in line with the section (management group) that the policy is assigned to, and ensure that tooltips include links to the AzAdvertizer page for the policy or initiative. +When creating new policies that will be assigned by default by the portal reference architecture you are required to also include appropriate information and options in the portal experience (`eslzArm/eslz-portal.json`). Please do include appropriate selectors in line with the section (management group) that the policy is assigned to, and ensure that tooltips include links to the [AzAdvertizer](http://azadvertizer.com/) page for the policy or initiative. Example for the Key Vault initiative (note the tooltip): diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md index ab4626bbf5..ae1602df97 100644 --- a/docs/wiki/ALZ-Deprecated-Services.md +++ b/docs/wiki/ALZ-Deprecated-Services.md @@ -29,6 +29,7 @@ Policies being deprecated: | Diagnostic Settings for MariaDB to Log Analytics Workspace
ID: [`Deploy-Diagnostics-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Diagnostics-MariaDB.html) | Deprecating due to service retirement | Deprecating policies for MariaDB, see [`ALZ Policy FAQ & Tips`](./ALZ-Policies-FAQ) | | Deploy SQL Database Vulnerability Assessments
ID: [`Deploy-Sql-vulnerabilityAssessments`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html) | [`Deploy-Sql-vulnerabilityAssessments_20230706`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html) | Custom policy replaced by updated custom policy providing bug fix | | Deploy Microsoft Defender for Cloud configuration
ID: [`Deploy-MDFC-Config`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) | [`Deploy-MDFC-Config_20240319`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) | Custom initiative replaced by updated custom initiative due to breaking changes | +| Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
ID: [`Enforce-EncryptTransit`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) | [`Enforce-EncryptTransit_20240509`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) | Custom initiative replaced by updated custom initiative due to breaking changes | ### More Information diff --git a/docs/wiki/ALZ-Policies-Extra.md b/docs/wiki/ALZ-Policies-Extra.md new file mode 100644 index 0000000000..7c3cc818a6 --- /dev/null +++ b/docs/wiki/ALZ-Policies-Extra.md @@ -0,0 +1,57 @@ +# ALZ Policies - Extra + +This document describes additional ALZ custom policy definitions and initiatives that are not assigned by default in ALZ, but are provided as they may assist some consumers of ALZ in specific scenarios where they can assign these additional policies to help them meet their objectives. We also provide guidance on how to handle certain situations as some of the policies require additional considerations prior to assigning. + +> For the complete list of Azure Landing Zones custom policies, please use [AzAdvertizer](https://www.azadvertizer.net/azpolicyadvertizer_all.html), and change `type` to `ALZ`. + +## Additional ALZ Custom Policies for consideration + +ALZ provides several additional policies that are not assigned by default but that can be used for specific scenarios should they be required. + +| Policy | Description | Notes | +|------------|-------------|-------------| +| Deny-Appgw-Without-Waf | Application Gateway should be deployed with WAF enabled | Use to ensure Application Gateways are deployed with Web Application Firewall enabled | +| Deny-Private-Dns-Zones | Deny the creation of private DNS | For organizations that centralize core networking functions, use this policy to prevent the creation of additional Private DNS Zones under specific scopes | +| Deny-Subnet-Without-Udr | Subnets should have a User Defined Route | Should you require all network traffic be directed to an appliance for inspection, you can use this policy to ensure UDR is associated with a subnet | +| Deny-Udr-With-Specific-Nexthop | User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied | Refining `Deny-Subnet-Without-Udr` you can ensure non-compliant UDRs are denied (e.g., bypassing a firewall) | +| Deny-Vnet-Peering | Deny vNet peering | Use to prevent vNet peering under specific scopes (e.g., Sandbox management group) | +| Deny-Vnet-Peering-To-Non-Approved-Vnets | Deny vNet peering to non-approved vNets | Use to control vNet peering under specific scopes, like in the Corp management group, only allow peering to the hub vNet. | +| Deploy-Budget | Deploy a default budget on all subscriptions under the assigned scope | Set a default budget for a specific scope, like setting a $500 budget on all subscriptions in the Sandbox management group | +| Deploy-Vnet-Hubspoke | Deploy Virtual Network with peering to the hub | Automatically peer a new virtual network with the hub, for example, in the Corp management group | +| Deploy-Windows-DomainJoin | Deploy Windows Domain Join Extension with Key Vault configuration | Windows Domain Join a virtual machine using domain name and password stored in Key Vault as secrets | + +## 2. ALZ, Workload Specific Compliance and Regulated Industries + +The Azure Landing Zone is designed to be a flexible and scalable solution that can be used by organizations in a variety of industries. However, organizations in regulated industries (FSI, Healthcare, etc.) may need to take additional steps to ensure compliance with industry-specific regulations. These regulations often commonly have a consistent set of controls to cover, like CMK, locking down public endpoints, TLS version enforcement, logging etc. + +To support the additional control requirements of these industries, we're providing the following additional initiatives that enhance the security and compliance posture of the Azure Landing Zone: + +> **Please Note:** These are meant to help customers across all regulated industries (FSI, Healthcare, etc.) and not be aligned to specific regulatory controls, as there are already policy initiatives available for these via [Azure Policy](https://learn.microsoft.com/azure/azure-resource-manager/management/security-controls-policy) & [Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard) + +| Initiative ID | Name | Description | # of Policies | +|------------|-------------|-------------|-------------| +| [Enforce-Guardrails-APIM](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-APIM.html) | Enforce recommended guardrails for API Management | This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones. | 11 | +| [Enforce-Guardrails-AppServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-AppServices.html) | Enforce recommended guardrails for App Service | This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones. | 19 | +| [Enforce-Guardrails-Automation](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Automation.html) | Enforce recommended guardrails for Automation Account | This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones. | 6 | +| [Enforce-Guardrails-CognitiveServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-CognitiveServices.html) | Enforce recommended guardrails for Cognitive Services | This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones. | 5 | +| [Enforce-Guardrails-Compute](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Compute.html) | Enforce recommended guardrails for Compute | This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones. | 2 | +| [Enforce-Guardrails-ContainerApps](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ContainerApps.html) | Enforce recommended guardrails for Container Apps | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. | 2 | +| [Enforce-Guardrails-ContainerInstance](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ContainerInstance.html) | Enforce recommended guardrails for Container Instance | This policy initiative is a group of policies that ensures Container Instance is compliant per regulated Landing Zones. | 1 | +| [Enforce-Guardrails-ContainerRegistry](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ContainerRegistry.html) | Enforce recommended guardrails for Container Registry | This policy initiative is a group of policies that ensures Container Registry is compliant per regulated Landing Zones. | 12 | +| [Enforce-Guardrails-CosmosDb](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-CosmosDb.html) | Enforce recommended guardrails for Cosmos DB | This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones. | 6 | +| [Enforce-Guardrails-DataExplorer](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-DataExplorer.html) | Enforce recommended guardrails for Data Explorer | This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones. | 4 | +| [Enforce-Guardrails-DataFactory](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-DataFactory.html) | Enforce recommended guardrails for Data Factory | This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones. | 5 | +| [Enforce-Guardrails-EventGrid](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-EventGrid.html) | Enforce recommended guardrails for Event Grid | This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones. | 8 | +| [Enforce-Guardrails-EventHub](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-EventHub.html) | Enforce recommended guardrails for Event Hub | This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones. | 4 | +| [Enforce-Guardrails-KeyVault-Sup](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault-Sup.html) | Enforce additional recommended guardrails for Key Vault | This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones. This includes additional policies to supplement Enforce-Guardrails-KeyVault, which is assigned by default in ALZ. | 2 | +| [Enforce-Guardrails-Kubernetes](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Kubernetes.html) | Enforce recommended guardrails for Kubernetes | This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones. | 16 | +| [Enforce-Guardrails-MachineLearning](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MachineLearning.html) | Enforce recommended guardrails for Machine Learning | This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones. | 5 | +| [Enforce-Guardrails-MySQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MySQL.html) | Enforce recommended guardrails for MySQL | This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones. | 2 | +| [Enforce-Guardrails-Network](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Network.html) | Enforce recommended guardrails for Network and Networking services | This policy initiative is a group of policies that ensures Network and Networking services is compliant per regulated Landing Zones. | 22 | +| [Enforce-Guardrails-OpenAI](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-OpenAI.html) | Enforce recommended guardrails for Open AI (Cognitive Service) | This policy initiative is a group of policies that ensures Open AI (Cognitive Services) is compliant per regulated Landing Zones. | 6 | +| [Enforce-Guardrails-PostgreSQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-PostgreSQL.html) | Enforce recommended guardrails for PostgreSQL | This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones. | 1 | +| [Enforce-Guardrails-ServiceBus](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ServiceBus.html) | Enforce recommended guardrails for Service Bus | This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones. | 4 | +| [Enforce-Guardrails-SQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-SQL.html) | Enforce recommended guardrails for SQL and SQL Managed Instance | This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones. | 5 | +| [Enforce-Guardrails-Storage](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Storage.html) | Enforce recommended guardrails for Storage Account | This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones. | 22 | +| [Enforce-Guardrails-Synapse](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Synapse.html) | Enforce recommended guardrails for Synapse workspaces | This policy initiative is a group of policies that ensures Synapse is compliant per regulated Landing Zones. | 9 | +| [Enforce-Guardrails-VirtualDesktop](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-VirtualDesktop.html) | Enforce recommended guardrails for Virtual Desktop | This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones. | 2 | diff --git a/docs/wiki/ALZ-Policies-FAQ.md b/docs/wiki/ALZ-Policies-FAQ.md index 2fb094fcc4..d3eaabcf1f 100644 --- a/docs/wiki/ALZ-Policies-FAQ.md +++ b/docs/wiki/ALZ-Policies-FAQ.md @@ -4,6 +4,14 @@ There is a lot of change happening for policies in Azure, and by extension ALZ, and we have a number of common issues being raised by our customers and partners. This page is intended to address those issues. +### ALZ Policies and Initiatives and the escape character + +We've had a number of issues and pull requests submitted specifically around the extra bracket `[` that is present in all policies and initiatives in this repo. + +> NOTE: The policies and initiatives in this repo are NOT intended to be deployed directly in Azure. You cannot copy the definition and deploy the policy directly without editing first. If you want to deploy a specific policy you must first remove the additional leading `[` character from the policy or initiative definition. Alternatively, to deploy a specific policy directly in Azure Policy, please use AzAdvertizer to lookup the policy and use the `copy definition` button to copy a clean version of the policy ready for use (this will remove all the extra `[`). + +The reason for this is that the policies and initiatives in this repo are intended to be used as part of the ALZ deployment process, and are used to generate the ARM templates that are deployed to Azure. The leading `[` character is required to support the generation of the ARM templates. + ### Diagnostic Settings v2 (December 2023) There are several issues raised around Diagnostic Settings, and we acknowledge that this is a complex area that is causing a lot of pain. diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 009a76383f..04bea5fa19 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -1,7 +1,7 @@ ## In this Section - [Updates](#updates) - - [πŸ”ƒ Policy Refresh Q3 FY24](#-policy-refresh-q3-fy24) + - [πŸ”ƒ Policy Refresh H2 FY24](#-policy-refresh-h2-fy24) - [May 2024](#may-2024) - [April 2024](#april-2024) - [March 2024](#march-2024) @@ -44,8 +44,18 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: -### πŸ”ƒ Policy Refresh Q3 FY24 +### πŸ”ƒ Policy Refresh H2 FY24 +We've missed Q3 timelines completely, but for good reason. We've held back this cycle of Policy Refresh in order to address some key initiatives that we feel are critical to the success of our customers. This is the single largest update to the ALZ Policy since the inception of the project. We're excited to share these updates with you, and we're confident that they will provide significant value to your deployments and the compliance of your Azure Landing Zones. + +- πŸ“ŒMajor Update: New "Workload Specific Compliance" section added to ALZ Portal accelerator. This will allow you to apply compliance policies to specific workloads, such as SQL, Storage, and more. These additional compliance controls are frequently required by highly regulated industries like financial services, healthcare, etc. Note: they are not assigned by default, you are required to select the workload and management group scope to apply assignments. For more information review [ALZ Policy - Extra](./ALZ-Policies-Extra) +This release includes: + - 25 new custom initiatives added to support key Azure workloads/services + - Significantly enhanced [Deny-PublicPaasEndpoints](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaasEndpoints.html) to cover additional services (no public access) + - Significantly enhanced [Enforce-EncryptTransit](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) to cover additional services (TLS and SSL) + - Significantly enhanced [Enforce-EncryptionCMK](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptionCMK.html) to cover additional services (customer managed keys) + - 24 new custom policies added for various workloads where no equivalent built-in policy is available (included in the new initiatives) - please note some policies only support the "Audit" effect, and should be overridden as needed. +- Updated [Audit-PublicIpAddresses-UnusedResourcesCostOptimization](https://www.azadvertizer.net/azpolicyadvertizer/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.html) to check for `static` public IP addresses that are not associated with any resources (instead of `not basic`). - Fixed the bug with [Configure Azure Machine Learning workspace to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/ee40564d-486e-4f68-a5ca-7a621edae0fb.html) policy where `secondPrivateDnsZoneId` parameter was missing which was leaving AML private endpoints incomplete. - Updated `Audit-PrivateLinkDnsZones` display name to include the fact it can be `audit` or `deny` - Added the [Configure BotService resources to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/6a4e6f44-f2af-4082-9702-033c9e88b9f8.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. @@ -71,7 +81,11 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Added new initiative and assignment to enable auditing for Trust Launch capable virtual machines which includes the following built-in policies: - [Disks and OS image should support TrustedLaunch](https://www.azadvertizer.net/azpolicyadvertizer/b03bb370-5249-4ea4-9fce-2552e87e45fa.html) - [Virtual Machine should have TrustedLaunch enabled](https://www.azadvertizer.net/azpolicyadvertizer/c95b54ad-0614-4633-ab29-104b01235cbf.html) - - Added new custom policy "Deploy-Private-DNS-Generic" this policy will DINE-configure private DNS zone group to override the DNS resolution for PaaS services private endpoint, it is generic for the services which supports private DNS but doesn't have built in policy exist and also for the new services which supports private DNS in future +- Updated ARM deployment for Defender for APIs, which now requires a sub plan be specified. We're defaulting to sub plan "P1", and have confirmed that costs will only be incurred once an API has expressly been onboarded to Defender for APIs. Please thoroughly review Defender for API plans as they related to your environment and adjust the sub plan as needed. +- Deprecated custom policy [Storage Account set to minimum TLS and Secure transfer should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Storage-minTLS.html) and replaced with two built-in policies [Secure transfer to storage accounts should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html) and [Storage accounts should have the specified minimum TLS version](https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html). +- Added new custom policy "Deploy-Private-DNS-Generic" this policy will DINE-configure private DNS zone groups to override the DNS resolution for PaaS services private endpoint. It is generic to enable private DNS zones for the services which supports private DNS but don't have built-in policies available and also for the new services which support private DNS in future. +- Deprecated [Deploy-EncryptTransit](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-EncryptTransit.html) initiative and superseded with [Deploy-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-EncryptTransit_20240509.html) to minimize breaking change impact on existing deployments. + ### May 2024 #### Documentation diff --git a/docs/wiki/_Sidebar.md b/docs/wiki/_Sidebar.md index b9a72a42df..36a85e464e 100644 --- a/docs/wiki/_Sidebar.md +++ b/docs/wiki/_Sidebar.md @@ -7,8 +7,6 @@ * [What is Enterprise-Scale](./What-is-Enterprise-Scale) * [Architecture](./ALZ-Architecture) * [Policies](./ALZ-Policies) - * [Policies FAQ & Tips](./ALZ-Policies-FAQ) - * [Policies Testing Framework](./ALZ-Policies-Testing) * [What is the reference implementation?](./What-is-Enterprise-Scale#what-is-enterprise-scale-reference-implementation) * [Pricing](./What-is-Enterprise-Scale#pricing) * [What if I already have an existing Azure footprint](./What-is-Enterprise-Scale#what-if-i-already-have-an-existing-azure-footprint) @@ -36,6 +34,9 @@ * [Azure Landing Zones Deprecated Services](./ALZ-Deprecated-Services) * Azure Landing Zone (ALZ) Policies * [Policies included in Azure landing zones reference implementations](./ALZ-Policies) + * [Policies included but not assigned by default and Workload Specific Compliance initiatives](./ALZ-Policies-Extra) + * [Policies FAQ & Tips](./ALZ-Policies-FAQ) + * [Policies Testing Framework](./ALZ-Policies-Testing) * [Migrate Azure landing zones custom policies to Azure built-in policies](./Migrate-ALZ-Policies-to-Built%E2%80%90in) * [Updating Azure landing zones custom policies to latest](./Update-ALZ-Custom-Policies-to-Latest) * MMA Deprecation Guidance diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index cdf9c2eeca..5e4d820bd9 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -3104,7 +3104,7 @@ "label": "Ensure encryption in transit is enabled for PaaS services", "defaultValue": "Yes (recommended)", "visible": true, - "toolTip": "If 'Yes' is selected then Azure Policy will ensure PaaS resources uses TLS and SSL.
Uses the custom initiative Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit.", + "toolTip": "If 'Yes' is selected then Azure Policy will ensure PaaS resources uses TLS and SSL.
Uses the custom initiative Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit.", "constraints": { "allowedValues": [ { @@ -3845,6 +3845,2334 @@ } ] }, + { + "name": "workloadspecific", + "label": "Workload Specific Compliance", + "elements": [ + { + "name": "wsText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "For customers in highly regulated industries like healthcare, financial services, public sector, etc. you can optionally select one, or more, Workload Specific Compliance Policy Initiatives (Set Definitions) to assign to the selected Management Groups of your Azure Landing Zones hierarchy (e.g. Contoso).", + "link": { + "label": "Learn More", + "uri": "" + } + } + }, + { + "name": "wsInfoCheck", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Please carefully review each of the initiatives and the controls they enforce to ensure they align with your organization's compliance requirements. You can hover over the workload name to show the tooltip, which includes a link to the initiative definition.", + "uri": "https://aka.ms/alz/policies", + "style": "Info" + } + }, + { + "name": "wsText2", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please select workload and scope to apply initiatives to for each:", + "link": { + "label": "", + "uri": "" + } + } + }, + { + "name": "enableWsCMKInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Customer Managed Keys", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected management groups to apply Customer Managed Keys initiative to. This applies to all services that support CMK if enabled. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsCMKSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scope to assign Customer Managed Keys initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsCMKInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsAPIMInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "API Management", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for API Management. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsAPIMSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scope to assign API Management initiatives to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsAPIMInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsAppServicesInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "App Services", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsAppServicesSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign App Services initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsAppServicesInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsAutomationInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automation Accounts", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsAutomationSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Automation Accounts initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsAutomationInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsCognitiveServicesInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Cognitive Services", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsCognitiveServicesSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Cognitive Services initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsCognitiveServicesInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsComputeInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Compute", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsComputeSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Compute initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsComputeInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsContainerAppsInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Container Apps", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsContainerAppsSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Container Apps initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsContainerAppsInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsContainerInstanceInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Container Instance", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsContainerInstanceSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Container Instance initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsContainerInstanceInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsContainerRegistryInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Container Registry", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsContainerRegistrySelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Container Registry initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsContainerRegistryInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsCosmosDbInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Cosmos DB", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsCosmosDbSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Cosmos DB initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsCosmosDbInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsDataExplorerInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Data Explorer", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsDataExplorerSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Data Explorer initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsDataExplorerInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsDataFactoryInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Data Factory", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsDataFactorySelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Data Factory initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsDataFactoryInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsEventGridInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Event Grid", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsEventGridSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Event Grid initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsEventGridInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsEventHubInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Event Hub", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsEventHubSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Event Hub initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsEventHubInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsKeyVaultSupInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Key Vault - Supplementry", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsKeyVaultSupSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Key Vault - Supplementry initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsKeyVaultSupInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsKubernetesInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Kubernetes", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsKubernetesSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Kubernetes initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsKubernetesInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsMachineLearningInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Machine Learning", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsMachineLearningSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Machine Learning initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsMachineLearningInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsMySQLInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "MySQL", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsMySQLSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the MySQL initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsMySQLInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsNetworkInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network and Networking services", + "defaultValue": "No", + "visible": "[equals(steps('connectivity').enableDdoS, 'Yes')]", + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsNetworkSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Network and Networking services initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsNetworkInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsOpenAIInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Open AI", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsOpenAISelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Open AI initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsOpenAIInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsPostgreSQLInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "PostgreSQL", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsPostgreSQLSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the PostgreSQL initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsPostgreSQLInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsServiceBusInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Service Bus", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsServiceBusSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Service Bus initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsServiceBusInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsSQLInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "SQL", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsSQLSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the SQL initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsSQLInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsStorageInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Storage", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsStorageSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Storage initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsStorageInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsSynapseInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Synapse", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsSynapseSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Synapse initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsSynapseInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsVirtualDesktopInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Virtual Desktop", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsVirtualDesktopSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Virtual Desktop initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsVirtualDesktopInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + } + ] + }, { "name": "decommissionedSandboxZones", "label": "Decommissioned/Sandbox", @@ -5556,6 +7884,56 @@ "enableDecommissioned": "[steps('decommissionedSandboxZones').decommSection.enableDecommissioned]", "enableSandbox": "[steps('decommissionedSandboxZones').sandboxSection.enableSandbox]", "userAssignedIdentityResourceGroup": "[steps('management').userAssignedIdentityResourceGroup]", + "enableWsCMKInitiatives": "[steps('workloadspecific').enableWsCMKInitiatives]", + "wsCMKSelectorMG": "[steps('workloadspecific').wsCMKSelectorMG]", + "enableWsAPIMInitiatives": "[steps('workloadspecific').enableWsAPIMInitiatives]", + "wsAPIMSelectorMG": "[steps('workloadspecific').wsAPIMSelectorMG]", + "enableWsAppServicesInitiatives": "[steps('workloadspecific').enableWsAppServicesInitiatives]", + "wsAppServicesSelectorMG": "[steps('workloadspecific').wsAppServicesSelectorMG]", + "enableWsAutomationInitiatives": "[steps('workloadspecific').enableWsAutomationInitiatives]", + "wsAutomationSelectorMG": "[steps('workloadspecific').wsAutomationSelectorMG]", + "enableWsCognitiveServicesInitiatives": "[steps('workloadspecific').enableWsCognitiveServicesInitiatives]", + "wsCognitiveServicesSelectorMG": "[steps('workloadspecific').wsCognitiveServicesSelectorMG]", + "enableWsComputeInitiatives": "[steps('workloadspecific').enableWsComputeInitiatives]", + "wsComputeSelectorMG": "[steps('workloadspecific').wsComputeSelectorMG]", + "enableWsContainerAppsInitiatives": "[steps('workloadspecific').enableWsContainerAppsInitiatives]", + "wsContainerAppsSelectorMG": "[steps('workloadspecific').wsContainerAppsSelectorMG]", + "enableWsContainerInstanceInitiatives": "[steps('workloadspecific').enableWsContainerInstanceInitiatives]", + "wsContainerInstanceSelectorMG": "[steps('workloadspecific').wsContainerInstanceSelectorMG]", + "enableWsContainerRegistryInitiatives": "[steps('workloadspecific').enableWsContainerRegistryInitiatives]", + "wsContainerRegistrySelectorMG": "[steps('workloadspecific').wsContainerRegistrySelectorMG]", + "enableWsCosmosDbInitiatives": "[steps('workloadspecific').enableWsCosmosDbInitiatives]", + "wsCosmosDbSelectorMG": "[steps('workloadspecific').wsCosmosDbSelectorMG]", + "enableWsDataExplorerInitiatives": "[steps('workloadspecific').enableWsDataExplorerInitiatives]", + "wsDataExplorerSelectorMG": "[steps('workloadspecific').wsDataExplorerSelectorMG]", + "enableWsDataFactoryInitiatives": "[steps('workloadspecific').enableWsDataFactoryInitiatives]", + "wsDataFactorySelectorMG": "[steps('workloadspecific').wsDataFactorySelectorMG]", + "enableWsEventGridInitiatives": "[steps('workloadspecific').enableWsEventGridInitiatives]", + "wsEventGridSelectorMG": "[steps('workloadspecific').wsEventGridSelectorMG]", + "enableWsEventHubInitiatives": "[steps('workloadspecific').enableWsEventHubInitiatives]", + "wsEventHubSelectorMG": "[steps('workloadspecific').wsEventHubSelectorMG]", + "enableWsKeyVaultSupInitiatives": "[steps('workloadspecific').enableWsKeyVaultSupInitiatives]", + "wsKeyVaultSupSelectorMG": "[steps('workloadspecific').wsKeyVaultSupSelectorMG]", + "enableWsKubernetesInitiatives": "[steps('workloadspecific').enableWsKubernetesInitiatives]", + "wsKubernetesSelectorMG": "[steps('workloadspecific').wsKubernetesSelectorMG]", + "enableWsMachineLearningInitiatives": "[steps('workloadspecific').enableWsMachineLearningInitiatives]", + "wsMachineLearningSelectorMG": "[steps('workloadspecific').wsMachineLearningSelectorMG]", + "enableWsNetworkInitiatives": "[steps('workloadspecific').enableWsNetworkInitiatives]", + "wsNetworkSelectorMG": "[steps('workloadspecific').wsNetworkSelectorMG]", + "enableWsOpenAIInitiatives": "[steps('workloadspecific').enableWsOpenAIInitiatives]", + "wsOpenAISelectorMG": "[steps('workloadspecific').wsOpenAISelectorMG]", + "enableWsPostgreSQLInitiatives": "[steps('workloadspecific').enableWsPostgreSQLInitiatives]", + "wsPostgreSQLSelectorMG": "[steps('workloadspecific').wsPostgreSQLSelectorMG]", + "enableWsServiceBusInitiatives": "[steps('workloadspecific').enableWsServiceBusInitiatives]", + "wsServiceBusSelectorMG": "[steps('workloadspecific').wsServiceBusSelectorMG]", + "enableWsSQLInitiatives": "[steps('workloadspecific').enableWsSQLInitiatives]", + "wsSQLSelectorMG": "[steps('workloadspecific').wsSQLSelectorMG]", + "enableWsStorageInitiatives": "[steps('workloadspecific').enableWsStorageInitiatives]", + "wsStorageSelectorMG": "[steps('workloadspecific').wsStorageSelectorMG]", + "enableWsSynapseInitiatives": "[steps('workloadspecific').enableWsSynapseInitiatives]", + "wsSynapseSelectorMG": "[steps('workloadspecific').wsSynapseSelectorMG]", + "enableWsVirtualDesktopInitiatives": "[steps('workloadspecific').enableWsVirtualDesktopInitiatives]", + "wsVirtualDesktopSelectorMG": "[steps('workloadspecific').wsVirtualDesktopSelectorMG]", "regulatoryComplianceInitativesToAssign": "[steps('regulatory').regComplianceSelectorFull]", "regCompPolParAusGovIsmRestrictedVmAdminsExclude": "[coalesce(steps('regulatory').regPolicyParamAusGovIsmRestricted.regCompPolParAusGovIsmRestrictedVmAdminsExclude, '')]", "regCompPolParAusGovIsmRestrictedResourceTypes": "[steps('regulatory').regPolicyParamAusGovIsmRestricted.regCompPolParAusGovIsmRestrictedResourceTypes]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 670fa1fcb2..422cbad58f 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -813,7 +813,7 @@ }, "delayCount": { "type": "int", - "defaultValue": 35, + "defaultValue": 45, "minValue": 1, "maxValue": 60, "metadata": { @@ -835,129 +835,519 @@ "description": "Name of the resource group to be created for the User Assigned Managed Identity in each subscription." } }, - "regulatoryComplianceInitativesToAssign": { + "enableWsCMKInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsCMKSelectorMG": { "type": "array", "defaultValue": [], "metadata": { - "description": "Array of objects containing built-in Regulatory Compliance policies to assign to sepcfied Management Groups" + "description": "Array of management groups to assign the Workload Specific Compliance initiative for API Management." } }, - "regCompPolParAusGovIsmRestrictedVmAdminsExclude": { + "enableWsAPIMInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParAusGovIsmRestrictedResourceTypes": { - "type": "string", - "defaultValue": "all" + "wsAPIMSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for API Management." + } }, - "regCompPolParMPAACertificateThumb": { + "enableWsAppServicesInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParMPAAApplicationName": { - "type": "string", - "defaultValue": "" + "wsAppServicesSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for App Services." + } }, - "regCompPolParMPAAStoragePrefix": { + "enableWsAutomationInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParMPAAResGroupPrefix": { - "type": "string", - "defaultValue": "" + "wsAutomationSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Automation Accounts." + } }, - "regCompPolParMPAARBatchMetricName": { + "enableWsCognitiveServicesInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParSovBaseConfRegions": { + "wsCognitiveServicesSelectorMG": { "type": "array", - "defaultValue": [] + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Cognitive Services." + } }, - "regCompPolParSovBaseGlobalRegions": { + "enableWsComputeInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsComputeSelectorMG": { "type": "array", - "defaultValue": [] + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Compute." + } }, - "regCompPolParSwift2020VmAdminsInclude": { + "enableWsContainerAppsInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParSwift2020DomainFqdn": { - "type": "string", - "defaultValue": "" + "wsContainerAppsSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Container Apps." + } }, - "regCompPolParCanadaFedPbmmVmAdminsInclude": { + "enableWsContainerInstanceInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParCanadaFedPbmmVmAdminsExclude": { + "wsContainerInstanceSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Container Instance." + } + }, + "enableWsContainerRegistryInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParCisV2KeyVaultKeysRotateDays": { - "type": "int", - "defaultValue": 90 + "wsContainerRegistrySelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Container Registry." + } }, - "regCompPolParCmmcL3VmAdminsInclude": { + "enableWsCosmosDbInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParCmmcL3VmAdminsExclude": { - "type": "string", - "defaultValue": "" + "wsCosmosDbSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Cosmos DB." + } }, - "regCompPolParHitrustHipaaApplicationName": { + "enableWsDataExplorerInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParHitrustHipaaStoragePrefix": { - "type": "string", - "defaultValue": "" + "wsDataExplorerSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Data Explorer." + } }, - "regCompPolParHitrustHipaaResGroupPrefix": { + "enableWsDataFactoryInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParHitrustHipaaCertificateThumb": { - "type": "string", - "defaultValue": "" + "wsDataFactorySelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Data Factory." + } }, - "regCompPolParIrs1075Sep2016VmAdminsExclude": { + "enableWsEventGridInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParIrs1075Sep2016VmAdminsInclude": { + "wsEventGridSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Event Grid." + } + }, + "enableWsEventHubInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParNZIsmRestrictedVmAdminsInclude": { + "wsEventHubSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Event Hub." + } + }, + "enableWsKeyVaultSupInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParNZIsmRestrictedVmAdminsExclude": { + "wsKeyVaultSupSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Key Vault." + } + }, + "enableWsKubernetesInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParNistSp800171R2VmAdminsExclude": { + "wsKubernetesSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Kubernetes." + } + }, + "enableWsMachineLearningInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParNistSp800171R2VmAdminsInclude": { + "wsMachineLearningSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Machine Learning." + } + }, + "enableWsMySQLInitiatives": { "type": "string", - "defaultValue": "" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParSoc2Type2AllowedRegistries": { + "wsMySQLSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Machine Learning." + } + }, + "enableWsNetworkInitiatives": { "type": "string", - "defaultValue": "^[^\\/]+\\.azurecr\\.io\\/.+$" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParSoc2Type2MaxCpuUnits": { + "wsNetworkSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Network and Networking services." + } + }, + "enableWsOpenAIInitiatives": { "type": "string", - "defaultValue": "200m" + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" }, - "regCompPolParSoc2Type2MaxMemoryBytes": { + "wsOpenAISelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Open AI." + } + }, + "enableWsPostgreSQLInitiatives": { "type": "string", - "defaultValue": "1Gi" - } + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsPostgreSQLSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for PostgreSQL." + } + }, + "enableWsServiceBusInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsServiceBusSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Service Bus." + } + }, + "enableWsSQLInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsSQLSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for SQL." + } + }, + "enableWsStorageInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsStorageSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Storage." + } + }, + "enableWsSynapseInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsSynapseSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Synapse." + } + }, + "enableWsVirtualDesktopInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsVirtualDesktopSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Virtual Desktop." + } + }, + "regulatoryComplianceInitativesToAssign": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of objects containing built-in Regulatory Compliance policies to assign to sepcfied Management Groups" + } + }, + "regCompPolParAusGovIsmRestrictedVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParAusGovIsmRestrictedResourceTypes": { + "type": "string", + "defaultValue": "all" + }, + "regCompPolParMPAACertificateThumb": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAApplicationName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAStoragePrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAResGroupPrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAARBatchMetricName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSovBaseConfRegions": { + "type": "array", + "defaultValue": [] + }, + "regCompPolParSovBaseGlobalRegions": { + "type": "array", + "defaultValue": [] + }, + "regCompPolParSwift2020VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSwift2020DomainFqdn": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCanadaFedPbmmVmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCanadaFedPbmmVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCisV2KeyVaultKeysRotateDays": { + "type": "int", + "defaultValue": 90 + }, + "regCompPolParCmmcL3VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCmmcL3VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaApplicationName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaStoragePrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaResGroupPrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaCertificateThumb": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParIrs1075Sep2016VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParIrs1075Sep2016VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNZIsmRestrictedVmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNZIsmRestrictedVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNistSp800171R2VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNistSp800171R2VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSoc2Type2AllowedRegistries": { + "type": "string", + "defaultValue": "^[^\\/]+\\.azurecr\\.io\\/.+$" + }, + "regCompPolParSoc2Type2MaxCpuUnits": { + "type": "string", + "defaultValue": "200m" + }, + "regCompPolParSoc2Type2MaxMemoryBytes": { + "type": "string", + "defaultValue": "1Gi" + } }, "variables": { // Declaring the prescriptive management group structure that will be used in the scope construction @@ -1023,6 +1413,7 @@ "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", "roleDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleDefinitions/customRoleDefinitions.json')]", "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", + "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", @@ -1093,7 +1484,34 @@ "ChangeTrackingVmssPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json')]", "MDFCDefenderSqlAma": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json')]", "dataCollectionRuleMdfcDefenderSQL": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-DefenderSQL.json')]", - "MDFCSubscriptionEnablement": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/mdfcConfiguration.json')]" + "MDFCSubscriptionEnablement": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/mdfcConfiguration.json')]", + // Workload Specific Compliance Initiatives + "wsCMKPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json')]", + "wsAPIMPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAPIMPolicyAssignment.json')]", + "wsAppServicesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAppServicesPolicyAssignment.json')]", + "wsAutomationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAutomationPolicyAssignment.json')]", + "wsCognitiveServicesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCognitiveServicesPolicyAssignment.json')]", + "wsComputePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsComputePolicyAssignment.json')]", + "wsContainerAppsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerAppsPolicyAssignment.json')]", + "wsContainerInstancePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerInstancePolicyAssignment.json')]", + "wsContainerRegistryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerRegistryPolicyAssignment.json')]", + "wsCosmosDbPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCosmosDbPolicyAssignment.json')]", + "wsDataExplorerPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataExplorerPolicyAssignment.json')]", + "wsDataFactoryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataFactoryPolicyAssignment.json')]", + "wsEventGridPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventGridPolicyAssignment.json')]", + "wsEventHubPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventHubPolicyAssignment.json')]", + "wsKeyVaultSupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultSupPolicyAssignment.json')]", + "wsKubernetesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKubernetesPolicyAssignment.json')]", + "wsMachineLearningPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMachineLearningPolicyAssignment.json')]", + "wsMySQLPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMySQLPolicyAssignment.json')]", + "wsNetworkPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsNetworkPolicyAssignment.json')]", + "wsOpenAIPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsOpenAIPolicyAssignment.json')]", + "wsPostgreSQLPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsPostgreSQLPolicyAssignment.json')]", + "wsServiceBusPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsServiceBusPolicyAssignment.json')]", + "wsSQLPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSQLPolicyAssignment.json')]", + "wsStoragePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json')]", + "wsSynapsePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json')]", + "wsVirtualDesktopPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json')]" }, // Declaring deterministic deployment names "deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]", @@ -1105,6 +1523,7 @@ "identitySubscriptionPlacement": "[take(concat('alz-IdentitySub', variables('deploymentSuffix')), 64)]", "roleDefsDeploymentName": "[take(concat('alz-RoleDefs', variables('deploymentSuffix')), 64)]", "policyDeploymentName": "[take(concat('alz-Policy', variables('deploymentSuffix')), 64)]", + "initiativeDeploymentName": "[take(concat('alz-PolicySet', variables('deploymentSuffix')), 64)]", "monitorPolicyDeploymentName": "[take(concat('alz-MonitorPolicy', variables('deploymentSuffix')), 64)]", "ddosRgDeploymentName": "[take(concat('alz-DDoSRg', variables('deploymentSuffix')), 64)]", "ddosDeploymentName": "[take(concat('alz-DDoS', variables('deploymentSuffix')), 64)]", @@ -1201,7 +1620,34 @@ "pidCuaDeploymentNameMultiPlatformSubs": "[take(concat('pid-', variables('cuaidMultiPlatformSubs'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", "pidCuaDeploymentNameNetworkingNone": "[take(concat('pid-', variables('cuaidNetworkingNone'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", "pidCuaDeploymentNameNetworkingHubSpoke": "[take(concat('pid-', variables('cuaidNetworkingHubSpoke'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", - "pidCuaDeploymentNameNetworkingVirtualWan": "[take(concat('pid-', variables('cuaidNetworkingVirtualWan'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]" + "pidCuaDeploymentNameNetworkingVirtualWan": "[take(concat('pid-', variables('cuaidNetworkingVirtualWan'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", + // Workload Specific Compliance Initiatives + "wsCMKDeploymentName": "[take(concat('alz-wsCMK', variables('deploymentSuffix')), 35)]", + "wsAPIMDeploymentName": "[take(concat('alz-wsAPIM', variables('deploymentSuffix')), 35)]", + "wsAppServicesDeploymentName": "[take(concat('alz-wsAppService', variables('deploymentSuffix')), 35)]", + "wsAutomationDeploymentName": "[take(concat('alz-wsAutomation', variables('deploymentSuffix')), 35)]", + "wsCognitiveServicesDeploymentName": "[take(concat('alz-wsCognitiveServices', variables('deploymentSuffix')), 35)]", + "wsComputeDeploymentName": "[take(concat('alz-wsCompute', variables('deploymentSuffix')), 35)]", + "wsContainerAppsDeploymentName": "[take(concat('alz-wsContainerApps', variables('deploymentSuffix')), 35)]", + "wsContainerInstanceDeploymentName": "[take(concat('alz-wsContainerInstance', variables('deploymentSuffix')), 35)]", + "wsContainerRegistryDeploymentName": "[take(concat('alz-wsContainerRegistry', variables('deploymentSuffix')), 35)]", + "wsCosmosDbDeploymentName": "[take(concat('alz-wsCosmosDb', variables('deploymentSuffix')), 35)]", + "wsDataExplorerDeploymentName": "[take(concat('alz-wsDataExplorer', variables('deploymentSuffix')), 35)]", + "wsDataFactoryDeploymentName": "[take(concat('alz-wsDataFactory', variables('deploymentSuffix')), 35)]", + "wsEventGridDeploymentName": "[take(concat('alz-wsEventGrid', variables('deploymentSuffix')), 35)]", + "wsEventHubDeploymentName": "[take(concat('alz-wsEventHub', variables('deploymentSuffix')), 35)]", + "wsKeyVaultSupDeploymentName": "[take(concat('alz-wsKeyVaultSup', variables('deploymentSuffix')), 35)]", + "wsKubernetesDeploymentName": "[take(concat('alz-wsKubernetes', variables('deploymentSuffix')), 35)]", + "wsMachineLearningDeploymentName": "[take(concat('alz-wsMachineLearning', variables('deploymentSuffix')), 35)]", + "wsMySQLDeploymentName": "[take(concat('alz-wsMySQL', variables('deploymentSuffix')), 35)]", + "wsNetworkDeploymentName": "[take(concat('alz-wsNetwork', variables('deploymentSuffix')), 35)]", + "wsOpenAIDeploymentName": "[take(concat('alz-wsOpenAI', variables('deploymentSuffix')), 35)]", + "wsPostgreSQLDeploymentName": "[take(concat('alz-wsPostgreSQL', variables('deploymentSuffix')), 35)]", + "wsServiceBusDeploymentName": "[take(concat('alz-wsServiceBus', variables('deploymentSuffix')), 35)]", + "wsSQLDeploymentName": "[take(concat('alz-wsSQL', variables('deploymentSuffix')), 35)]", + "wsStorageDeploymentName": "[take(concat('alz-wsStorage', variables('deploymentSuffix')), 35)]", + "wsSynapseDeploymentName": "[take(concat('alz-wsSynapse', variables('deploymentSuffix')), 35)]", + "wsVirtualDesktopDeploymentName": "[take(concat('alz-wsVirtualDesktop', variables('deploymentSuffix')), 35)]" }, "esLiteDeploymentNames": { "mgmtGroupLiteDeploymentName": "[take(concat('alz-MgsLite', variables('deploymentSuffix')), 64)]", @@ -1376,692 +1822,1942 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').managementGroups]" + "uri": "[variables('deploymentUris').managementGroups]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Deploying ALZ Custom RBAC Role Definitions + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').roleDefsDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').roleDefinitions]" + } + } + }, + /* + The following deployments will deploy the required proactive and preventive Azure policies for ESLZ policy driven governance + */ + { + // Deploying ESLZ custom policies. + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').policyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').policyDefinitions]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Deploying ESLZ custom initiatives. + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').initiativeDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').initiativeDefinitions]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Deploying AMBA custom policies. Note: These policies are pulled from AMBA remote repo (https://www.github.com/Azure/azure-monitor-baseline-alerts). See definition of deploymentUris.monitorPolicyDefinitions for more details + "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').monitorPolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitorPolicyDefinitions]" + }, + "parameters": { + "enterpriseScaleCompanyPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "telemetryOptOut": { + "value": "[parameters('telemetryOptOut')]" + }, + "platformManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "IdentityManagementGroup": { + "value": "[variables('mgmtGroups').identity]" + }, + "managementManagementGroup": { + "value": "[variables('mgmtGroups').management]" + }, + "connectivityManagementGroup": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "LandingZoneManagementGroup": { + "value": "[variables('mgmtGroups').lzs]" + }, + "enableAMBAConnectivity": { + "value": "[parameters('enableMonitorConnectivity')]" + }, + "enableAMBAIdentity": { + "value": "[parameters('enableMonitorIdentity')]" + }, + "enableAMBALandingZone": { + "value": "[parameters('enableMonitorLandingZones')]" + }, + "enableAMBAManagement": { + "value": "[parameters('enableMonitorManagement')]" + }, + "enableAMBAServiceHealth": { + "value": "[parameters('enableMonitorBaselines')]" + }, + "delayCount": { + "value": "[parameters('delayCount')]" + }, + "policyAssignmentParametersCommon": { + "value": { + "alzMonitorResourceGroupName": { + "value": "[parameters('monitorAlertsResourceGroup')]" + }, + "alzMonitorResourceGroupLocation": { + "value": "[deployment().location]" + } + } + }, + "policyAssignmentParametersServiceHealth": { + "value": { + "alzMonitorActionGroupEmail": { + "value": "[parameters('emailContactActionGroup')]" + } + } + } + } + } + }, + { + /// Deploying AMBA custom policies. Note: These policies are pulled from AMBA remote repo (https://www.github.com/Azure/azure-monitor-baseline-alerts). See definition of deploymentUris.monitorPolicyDefinitions for more details + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('esLiteDeploymentNames').monitorPolicyLiteDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitorPolicyDefinitions]" + }, + "parameters": { + "enterpriseScaleCompanyPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "telemetryOptOut": { + "value": "[parameters('telemetryOptOut')]" + }, + "platformManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "IdentityManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "managementManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "connectivityManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "LandingZoneManagementGroup": { + "value": "[variables('mgmtGroups').lzs]" + }, + "enableAMBAConnectivity": { + "value": "[parameters('enableMonitorConnectivity')]" + }, + "enableAMBAIdentity": { + "value": "[parameters('enableMonitorIdentity')]" + }, + "enableAMBALandingZone": { + "value": "[parameters('enableMonitorLandingZones')]" + }, + "enableAMBAManagement": { + "value": "[parameters('enableMonitorManagement')]" + }, + "enableAMBAServiceHealth": { + "value": "[parameters('enableMonitorBaselines')]" + }, + "delayCount": { + "value": "[parameters('delayCount')]" + }, + "policyAssignmentParametersCommon": { + "value": { + "alzMonitorResourceGroupName": { + "value": "[parameters('monitorAlertsResourceGroup')]" + }, + "alzMonitorResourceGroupLocation": { + "value": "[deployment().location]" + } + } + }, + "policyAssignmentParametersServiceHealth": { + "value": { + "alzMonitorActionGroupEmail": { + "value": "[parameters('emailContactActionGroup')]" + } + } + } + } + } + }, + { + // One of Azure's untold stories..... + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat('preparingToLaunch', copyIndex())]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[variables('deploymentNames').initiativeDeploymentName]" + ], + "copy": { + "batchSize": 1, + "count": "[parameters('delayCount')]", + "mode": "Serial", + "name": "policyCompletion" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [], + "outputs": {} + } + } + }, + /* + The following deployments will organize the dedicated platform subscriptions into their respective management groups + */ + { + // Placing management subscription into dedicated management group + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').mgmtSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').managementManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').management]" + }, + "subscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } + } + } + }, + { + // Placing connectivity subscription into dedicated management group + "condition": "[not(empty(parameters('connectivitySubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').connectivitySubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "subscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + } + } + }, + { + // Placing identity subscription into dedicated management group + "condition": "[not(empty(parameters('identitySubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').identitySubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').identityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').identity]" + }, + "subscriptionId": { + "value": "[parameters('identitySubscriptionId')]" + } + } + } + }, + /* + The following deployments will optionally configure the governance, security, and monitoring for the Azure platform and landing zones + */ + { + // Deploying Log Analytics workspace to management subscription if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').monitoringDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoring]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + { + // Deploying Data Collection Rule for Log Analytics workspace if condition is true + "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataCollectionRuleVmInsights]" + }, + "parameters": { + "WorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "WorkspaceLocation": { + "value": "[deployment().location]" + }, + "userGivenDcrName": { + "value": "[variables('platformResourceNames').dataCollectionRuleVmInsights]" + } + } + } + }, + { + // Deploying Data Collection Rule for Change Tracking if condition is true + "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataCollectionRuleChangeTracking]" + }, + "parameters": { + "WorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "WorkspaceLocation": { + "value": "[deployment().location]" + }, + "dataCollectionRuleName": { + "value": "[variables('platformResourceNames').dataCollectionRuleChangeTracking]" + } + } + } + }, + { + // Deploying Data Collection Rule for Mdfc Defender for SQL if condition is true + "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').dataCollectionRuleMdfcDefenderSQLDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataCollectionRuleMdfcDefenderSQL]" + }, + "parameters": { + "WorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "WorkspaceLocation": { + "value": "[deployment().location]" + }, + "userGivenDcrName": { + "value": "[variables('platformResourceNames').dataCollectionRuleMdfcDefenderSql]" + } + } + } + }, + { + // Creating resource group for user assigned identity + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(variables('subscriptionIds'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').userAssignedIdentityRgDeploymentName, copyIndex())]", + "subscriptionId": "[variables('subscriptionIds')[copyIndex()]]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "onlineLzs", + "corpLzs", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "userAssignedIdentityRg", + "count": "[length(variables('subscriptionIds'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[parameters('userAssignedIdentityResourceGroup')]" + }, + "location": { + "value": "[deployment().location]" + } + } + } + }, + { + // Deploying user assigned identity if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(variables('subscriptionIds'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').userAssignedIdentityDeploymentName, copyIndex())]", + "location": "[deployment().location]", + "subscriptionId": "[variables('subscriptionIds')[copyIndex()]]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "userAssignedIdentityRg" + ], + "copy": { + "name": "userAssignedIdentity", + "count": "[length(variables('subscriptionIds'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').userAssignedIdentity]" + }, + "parameters": { + "location": { + "value": "[deployment().location]" + }, + "userAssignedIdentityName": { + "value": "[variables('platformResourceNames').userAssignedIdentity]" + }, + "userAssignedIdentityResourceGroup": { + "value": "[parameters('userAssignedIdentityResourceGroup')]" + } + } + } + }, + { + // Deploying Sentinel to Log Analytics workspace if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableSecuritySolution'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').monitoringSolutionsDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoringSolutions]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "enableSecuritySolution": { + "value": "[parameters('enableSecuritySolution')]" + } + } + } + }, + { + // Assigning Log Analytics workspace policy to management management group if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').logAnalyticsPolicyDeploymentName]", + "scope": "[variables('scopes').managementManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "logAnalyticsWorkspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + { + // Deploying Diagnostic Settings to management groups if Log Analytics was deployed via a loop + "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('mgmtGroupsArray')[copyIndex()], variables('deploymentNames').diagnosticSettingsforMGsDeploymentName), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', variables('mgmtGroupsArray')[copyIndex()])]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "copy": { + "name": "mgDiagSettings", + "count": "[length(variables('mgmtGroupsArray'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').diagnosticSettingsforManagementGroups]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + } + } + } + }, + { + // Deploying Diagnostic Settings to ESLite management groups if Log Analytics was deployed via a loop + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), empty(parameters('managementSubscriptionId')), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('mgmtGroupsESLiteArray')[copyIndex()], variables('deploymentNames').diagnosticSettingsforMGsDeploymentName), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', variables('mgmtGroupsESLiteArray')[copyIndex()])]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "copy": { + "name": "mgDiagSettings", + "count": "[length(variables('mgmtGroupsESLiteArray'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').diagnosticSettingsforManagementGroups]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + } + } + } + }, + { + // Assigning Microsoft Cloud Security Benchmark policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAsc'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').asbPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').asbPolicyInitiative]" + }, + "parameters": {} + } + }, + { + // Assigning Workload Specific Customer Managed Keys Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsCMKInitiatives'), 'Yes'), not(empty(parameters('wsCMKSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsCMKDeploymentName, '-', replace(parameters('wsCMKSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsCMKSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsCMKmg", + "count": "[length(parameters('wsCMKSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsCMKPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific APIM Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsAPIMInitiatives'), 'Yes'), not(empty(parameters('wsAPIMSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsAPIMDeploymentName, '-', replace(parameters('wsAPIMSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsAPIMSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsAPIMmg", + "count": "[length(parameters('wsAPIMSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsAPIMPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific App Services Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsAppServicesInitiatives'), 'Yes'), not(empty(parameters('wsAppServicesSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsAppServicesDeploymentName, '-', replace(parameters('wsAppServicesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsAppServicesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsAppServicesmg", + "count": "[length(parameters('wsAppServicesSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsAppServicesPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Automation Accounts Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsAutomationInitiatives'), 'Yes'), not(empty(parameters('wsAutomationSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsAutomationDeploymentName, '-', replace(parameters('wsAutomationSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsAutomationSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsAutomationmg", + "count": "[length(parameters('wsAutomationSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsAutomationPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Cognitive Services Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsCognitiveServicesInitiatives'), 'Yes'), not(empty(parameters('wsCognitiveServicesSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsCognitiveServicesDeploymentName, '-', replace(parameters('wsCognitiveServicesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsCognitiveServicesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsCognitiveServicesmg", + "count": "[length(parameters('wsCognitiveServicesSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsCognitiveServicesPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Compute Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsComputeInitiatives'), 'Yes'), not(empty(parameters('wsComputeSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsComputeDeploymentName, '-', replace(parameters('wsComputeSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsComputeSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsComputemg", + "count": "[length(parameters('wsComputeSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsComputePolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Deploying ALZ Custom RBAC Role Definitions + // Assigning Workload Specific Container Apps Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsContainerAppsInitiatives'), 'Yes'), not(empty(parameters('wsContainerAppsSelectorMG'))))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').roleDefsDeploymentName]", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsContainerAppsDeploymentName, '-', replace(parameters('wsContainerAppsSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsContainerAppsSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsContainerAppsmg", + "count": "[length(parameters('wsContainerAppsSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').roleDefinitions]" + "uri": "[variables('deploymentUris').wsContainerAppsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } } } }, - /* - The following deployments will deploy the required proactive and preventive Azure policies for ESLZ policy driven governance - */ { - // Deploying ESLZ custom policies. Note: all policies should eventually be moved to built-in policies and codebase will be reduced + // Assigning Workload Specific Container Instance Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsContainerInstanceInitiatives'), 'Yes'), not(empty(parameters('wsContainerInstanceSelectorMG'))))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').policyDeploymentName]", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsContainerInstanceDeploymentName, '-', replace(parameters('wsContainerInstanceSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsContainerInstanceSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsContainerInstancemg", + "count": "[length(parameters('wsContainerInstanceSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').policyDefinitions]" + "uri": "[variables('deploymentUris').wsContainerInstancePolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Deploying AMBA custom policies. Note: These policies are pulled from AMBA remote repo (https://www.github.com/Azure/azure-monitor-baseline-alerts). See definition of deploymentUris.monitorPolicyDefinitions for more details - "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + // Assigning Workload Specific Container Registry Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsContainerRegistryInitiatives'), 'Yes'), not(empty(parameters('wsContainerRegistrySelectorMG'))))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').monitorPolicyDeploymentName]", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsContainerRegistryDeploymentName, '-', replace(parameters('wsContainerRegistrySelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsContainerRegistrySelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsContainerRegistrymg", + "count": "[length(parameters('wsContainerRegistrySelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitorPolicyDefinitions]" + "uri": "[variables('deploymentUris').wsContainerRegistryPolicyAssignment]" }, "parameters": { - "enterpriseScaleCompanyPrefix": { + "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "telemetryOptOut": { - "value": "[parameters('telemetryOptOut')]" - }, - "platformManagementGroup": { - "value": "[variables('mgmtGroups').platform]" - }, - "IdentityManagementGroup": { - "value": "[variables('mgmtGroups').identity]" - }, - "managementManagementGroup": { - "value": "[variables('mgmtGroups').management]" - }, - "connectivityManagementGroup": { - "value": "[variables('mgmtGroups').connectivity]" - }, - "LandingZoneManagementGroup": { - "value": "[variables('mgmtGroups').lzs]" - }, - "enableAMBAConnectivity": { - "value": "[parameters('enableMonitorConnectivity')]" - }, - "enableAMBAIdentity": { - "value": "[parameters('enableMonitorIdentity')]" - }, - "enableAMBALandingZone": { - "value": "[parameters('enableMonitorLandingZones')]" - }, - "enableAMBAManagement": { - "value": "[parameters('enableMonitorManagement')]" - }, - "enableAMBAServiceHealth": { - "value": "[parameters('enableMonitorBaselines')]" - }, - "delayCount": { - "value": "[parameters('delayCount')]" - }, - "policyAssignmentParametersCommon": { - "value": { - "alzMonitorResourceGroupName": { - "value": "[parameters('monitorAlertsResourceGroup')]" - }, - "alzMonitorResourceGroupLocation": { - "value": "[deployment().location]" - } - } - }, - "policyAssignmentParametersServiceHealth": { - "value": { - "alzMonitorActionGroupEmail": { - "value": "[parameters('emailContactActionGroup')]" - } - } + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - /// Deploying AMBA custom policies. Note: These policies are pulled from AMBA remote repo (https://www.github.com/Azure/azure-monitor-baseline-alerts). See definition of deploymentUris.monitorPolicyDefinitions for more details - "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + // Assigning Workload Specific Cosmos DB Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsCosmosDbInitiatives'), 'Yes'), not(empty(parameters('wsCosmosDbSelectorMG'))))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('esLiteDeploymentNames').monitorPolicyLiteDeploymentName]", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsCosmosDbDeploymentName, '-', replace(parameters('wsCosmosDbSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsCosmosDbSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsCosmosDbmg", + "count": "[length(parameters('wsCosmosDbSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitorPolicyDefinitions]" + "uri": "[variables('deploymentUris').wsCosmosDbPolicyAssignment]" }, "parameters": { - "enterpriseScaleCompanyPrefix": { + "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "telemetryOptOut": { - "value": "[parameters('telemetryOptOut')]" - }, - "platformManagementGroup": { - "value": "[variables('mgmtGroups').platform]" - }, - "IdentityManagementGroup": { - "value": "[variables('mgmtGroups').platform]" - }, - "managementManagementGroup": { - "value": "[variables('mgmtGroups').platform]" - }, - "connectivityManagementGroup": { - "value": "[variables('mgmtGroups').platform]" - }, - "LandingZoneManagementGroup": { - "value": "[variables('mgmtGroups').lzs]" - }, - "enableAMBAConnectivity": { - "value": "[parameters('enableMonitorConnectivity')]" - }, - "enableAMBAIdentity": { - "value": "[parameters('enableMonitorIdentity')]" - }, - "enableAMBALandingZone": { - "value": "[parameters('enableMonitorLandingZones')]" - }, - "enableAMBAManagement": { - "value": "[parameters('enableMonitorManagement')]" - }, - "enableAMBAServiceHealth": { - "value": "[parameters('enableMonitorBaselines')]" - }, - "delayCount": { - "value": "[parameters('delayCount')]" - }, - "policyAssignmentParametersCommon": { - "value": { - "alzMonitorResourceGroupName": { - "value": "[parameters('monitorAlertsResourceGroup')]" - }, - "alzMonitorResourceGroupLocation": { - "value": "[deployment().location]" - } - } + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Data Explorer Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsDataExplorerInitiatives'), 'Yes'), not(empty(parameters('wsDataExplorerSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsDataExplorerDeploymentName, '-', replace(parameters('wsDataExplorerSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsDataExplorerSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsDataExplorermg", + "count": "[length(parameters('wsDataExplorerSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsDataExplorerPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "policyAssignmentParametersServiceHealth": { - "value": { - "alzMonitorActionGroupEmail": { - "value": "[parameters('emailContactActionGroup')]" - } - } + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // One of Azure's untold stories..... + // Assigning Workload Specific Data Factory Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsDataFactoryInitiatives'), 'Yes'), not(empty(parameters('wsDataFactorySelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[concat('preparingToLaunch', copyIndex())]", + "name": "[take(concat(variables('deploymentNames').wsDataFactoryDeploymentName, '-', replace(parameters('wsDataFactorySelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsDataFactorySelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ - "[variables('deploymentNames').policyDeploymentName]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], "copy": { - "batchSize": 1, - "count": "[parameters('delayCount')]", - "mode": "Serial", - "name": "policyCompletion" + "name": "wsDataFactorymg", + "count": "[length(parameters('wsDataFactorySelectorMG'))]" }, "properties": { "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "templateLink": { "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [], - "outputs": {} + "uri": "[variables('deploymentUris').wsDataFactoryPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } } } }, - /* - The following deployments will organize the dedicated platform subscriptions into their respective management groups - */ { - // Placing management subscription into dedicated management group - "condition": "[not(empty(parameters('managementSubscriptionId')))]", + // Assigning Workload Specific Event Grid Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsEventGridInitiatives'), 'Yes'), not(empty(parameters('wsEventGridSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').mgmtSubscriptionPlacement]", + "name": "[take(concat(variables('deploymentNames').wsEventGridDeploymentName, '-', replace(parameters('wsEventGridSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsEventGridSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "scope": "[variables('scopes').managementManagementGroup]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsEventGridmg", + "count": "[length(parameters('wsEventGridSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').subscriptionPlacement]" + "uri": "[variables('deploymentUris').wsEventGridPolicyAssignment]" }, "parameters": { - "targetManagementGroupId": { - "value": "[variables('mgmtGroups').management]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "subscriptionId": { - "value": "[parameters('managementSubscriptionId')]" + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Placing connectivity subscription into dedicated management group - "condition": "[not(empty(parameters('connectivitySubscriptionId')))]", + // Assigning Workload Specific Event Hub Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsEventHubInitiatives'), 'Yes'), not(empty(parameters('wsEventHubSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').connectivitySubscriptionPlacement]", + "name": "[take(concat(variables('deploymentNames').wsEventHubDeploymentName, '-', replace(parameters('wsEventHubSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsEventHubSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "scope": "[variables('scopes').connectivityManagementGroup]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsEventHubmg", + "count": "[length(parameters('wsEventHubSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').subscriptionPlacement]" + "uri": "[variables('deploymentUris').wsEventHubPolicyAssignment]" }, "parameters": { - "targetManagementGroupId": { - "value": "[variables('mgmtGroups').connectivity]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "subscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Placing identity subscription into dedicated management group - "condition": "[not(empty(parameters('identitySubscriptionId')))]", + // Assigning Workload Specific Key Vault Supplementary Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsKeyVaultSupInitiatives'), 'Yes'), not(empty(parameters('wsKeyVaultSupSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').identitySubscriptionPlacement]", + "name": "[take(concat(variables('deploymentNames').wsKeyVaultSupDeploymentName, '-', replace(parameters('wsKeyVaultSupSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsKeyVaultSupSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "scope": "[variables('scopes').identityManagementGroup]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsKeyVaultSupmg", + "count": "[length(parameters('wsKeyVaultSupSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').subscriptionPlacement]" + "uri": "[variables('deploymentUris').wsKeyVaultSupPolicyAssignment]" }, "parameters": { - "targetManagementGroupId": { - "value": "[variables('mgmtGroups').identity]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "subscriptionId": { - "value": "[parameters('identitySubscriptionId')]" + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, - /* - The following deployments will optionally configure the governance, security, and monitoring for the Azure platform and landing zones - */ { - // Deploying Log Analytics workspace to management subscription if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + // Assigning Workload Specific Kubernetes Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsKubernetesInitiatives'), 'Yes'), not(empty(parameters('wsKubernetesSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').monitoringDeploymentName]", + "name": "[take(concat(variables('deploymentNames').wsKubernetesDeploymentName, '-', replace(parameters('wsKubernetesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsKubernetesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "subscriptionId": "[parameters('managementSubscriptionId')]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsKubernetessmg", + "count": "[length(parameters('wsKubernetesSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitoring]" + "uri": "[variables('deploymentUris').wsKubernetesPolicyAssignment]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "workspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" - }, - "automationAccountName": { - "value": "[variables('platformResourceNames').automationAccount]" - }, - "automationRegion": { - "value": "[deployment().location]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "retentionInDays": { - "value": "[parameters('retentionInDays')]" + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Deploying Data Collection Rule for Log Analytics workspace if condition is true - "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + // Assigning Workload Specific Machine Learning Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsMachineLearningInitiatives'), 'Yes'), not(empty(parameters('wsMachineLearningSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName]", + "name": "[take(concat(variables('deploymentNames').wsMachineLearningDeploymentName, '-', replace(parameters('wsMachineLearningSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsMachineLearningSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "subscriptionId": "[parameters('managementSubscriptionId')]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsMachineLearningsmg", + "count": "[length(parameters('wsMachineLearningSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').dataCollectionRuleVmInsights]" + "uri": "[variables('deploymentUris').wsMachineLearningPolicyAssignment]" }, "parameters": { - "WorkspaceResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" - }, - "WorkspaceLocation": { - "value": "[deployment().location]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "userGivenDcrName": { - "value": "[variables('platformResourceNames').dataCollectionRuleVmInsights]" + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Deploying Data Collection Rule for Change Tracking if condition is true - "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]", + // Assigning Workload Specific MySQL Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsMySQLInitiatives'), 'Yes'), not(empty(parameters('wsMySQLSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName]", + "name": "[take(concat(variables('deploymentNames').wsMySQLDeploymentName, '-', replace(parameters('wsMySQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsMySQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "subscriptionId": "[parameters('managementSubscriptionId')]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsMySQLmg", + "count": "[length(parameters('wsMySQLSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').dataCollectionRuleChangeTracking]" + "uri": "[variables('deploymentUris').wsMySQLPolicyAssignment]" }, "parameters": { - "WorkspaceResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" - }, - "WorkspaceLocation": { - "value": "[deployment().location]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "dataCollectionRuleName": { - "value": "[variables('platformResourceNames').dataCollectionRuleChangeTracking]" + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Deploying Data Collection Rule for Mdfc Defender for SQL if condition is true - "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists'))]", + // Assigning Workload Specific Network and Networking services Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsNetworkInitiatives'), 'Yes'), not(empty(parameters('wsNetworkSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').dataCollectionRuleMdfcDefenderSQLDeploymentName]", + "name": "[take(concat(variables('deploymentNames').wsNetworkDeploymentName, '-', replace(parameters('wsNetworkSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsNetworkSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "subscriptionId": "[parameters('managementSubscriptionId')]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsNetworkmg", + "count": "[length(parameters('wsNetworkSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').dataCollectionRuleMdfcDefenderSQL]" + "uri": "[variables('deploymentUris').wsNetworkPolicyAssignment]" }, "parameters": { - "WorkspaceResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "WorkspaceLocation": { - "value": "[deployment().location]" + "assignmentIndex": { + "value": "[copyIndex()]" }, - "userGivenDcrName": { - "value": "[variables('platformResourceNames').dataCollectionRuleMdfcDefenderSql]" + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" } } } }, { - // Creating resource group for user assigned identity - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(variables('subscriptionIds'))))]", + // Assigning Workload Specific OpenAI Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsOpenAIInitiatives'), 'Yes'), not(empty(parameters('wsOpenAISelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[concat(variables('deploymentNames').userAssignedIdentityRgDeploymentName, copyIndex())]", - "subscriptionId": "[variables('subscriptionIds')[copyIndex()]]", + "name": "[take(concat(variables('deploymentNames').wsOpenAIDeploymentName, '-', replace(parameters('wsOpenAISelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsOpenAISelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", - "onlineLzs", - "corpLzs", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", "corpConnectedMoveLzs" ], "copy": { - "name": "userAssignedIdentityRg", - "count": "[length(variables('subscriptionIds'))]" + "name": "wsOpenAImg", + "count": "[length(parameters('wsOpenAISelectorMG'))]" }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').resourceGroup]" + "uri": "[variables('deploymentUris').wsOpenAIPolicyAssignment]" }, "parameters": { - "rgName": { - "value": "[parameters('userAssignedIdentityResourceGroup')]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "location": { - "value": "[deployment().location]" + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Deploying user assigned identity if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(variables('subscriptionIds'))))]", + // Assigning Workload Specific PostgreSQL Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsPostgreSQLInitiatives'), 'Yes'), not(empty(parameters('wsPostgreSQLSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[concat(variables('deploymentNames').userAssignedIdentityDeploymentName, copyIndex())]", + "name": "[take(concat(variables('deploymentNames').wsPostgreSQLDeploymentName, '-', replace(parameters('wsPostgreSQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsPostgreSQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "subscriptionId": "[variables('subscriptionIds')[copyIndex()]]", "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "userAssignedIdentityRg" + "policyCompletion", + "corpConnectedMoveLzs" ], "copy": { - "name": "userAssignedIdentity", - "count": "[length(variables('subscriptionIds'))]" + "name": "wsPostgreSQLmg", + "count": "[length(parameters('wsPostgreSQLSelectorMG'))]" }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').userAssignedIdentity]" + "uri": "[variables('deploymentUris').wsPostgreSQLPolicyAssignment]" }, "parameters": { - "location": { - "value": "[deployment().location]" - }, - "userAssignedIdentityName": { - "value": "[variables('platformResourceNames').userAssignedIdentity]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "userAssignedIdentityResourceGroup": { - "value": "[parameters('userAssignedIdentityResourceGroup')]" + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Deploying Sentinel to Log Analytics workspace if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableSecuritySolution'), 'Yes'))]", + // Assigning Workload Specific Service Bus Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsServiceBusInitiatives'), 'Yes'), not(empty(parameters('wsServiceBusSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').monitoringSolutionsDeploymentName]", + "name": "[take(concat(variables('deploymentNames').wsServiceBusDeploymentName, '-', replace(parameters('wsServiceBusSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsServiceBusSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", - "subscriptionId": "[parameters('managementSubscriptionId')]", "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion" + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsServiceBusmg", + "count": "[length(parameters('wsServiceBusSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitoringSolutions]" + "uri": "[variables('deploymentUris').wsServiceBusPolicyAssignment]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "workspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "enableSecuritySolution": { - "value": "[parameters('enableSecuritySolution')]" + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Assigning Log Analytics workspace policy to management management group if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + // Assigning Workload Specific SQL Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsSQLInitiatives'), 'Yes'), not(empty(parameters('wsSQLSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').logAnalyticsPolicyDeploymentName]", - "scope": "[variables('scopes').managementManagementGroup]", + "name": "[take(concat(variables('deploymentNames').wsSQLDeploymentName, '-', replace(parameters('wsSQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsSQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsSQLmg", + "count": "[length(parameters('wsSQLSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + "uri": "[variables('deploymentUris').wsSQLPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "logAnalyticsWorkspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" - }, - "automationAccountName": { - "value": "[variables('platformResourceNames').automationAccount]" - }, - "automationRegion": { - "value": "[deployment().location]" - }, - "retentionInDays": { - "value": "[parameters('retentionInDays')]" + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Deploying Diagnostic Settings to management groups if Log Analytics was deployed via a loop - "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + // Assigning Workload Specific Storage Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsStorageInitiatives'), 'Yes'), not(empty(parameters('wsStorageSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[take(concat(variables('mgmtGroupsArray')[copyIndex()], variables('deploymentNames').diagnosticSettingsforMGsDeploymentName), 64)]", - "scope": "[concat('Microsoft.Management/managementGroups/', variables('mgmtGroupsArray')[copyIndex()])]", + "name": "[take(concat(variables('deploymentNames').wsStorageDeploymentName, '-', replace(parameters('wsStorageSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsStorageSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + "policyCompletion", + "corpConnectedMoveLzs" ], "copy": { - "name": "mgDiagSettings", - "count": "[length(variables('mgmtGroupsArray'))]" + "name": "wsStoragemg", + "count": "[length(parameters('wsStorageSelectorMG'))]" }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').diagnosticSettingsforManagementGroups]" + "uri": "[variables('deploymentUris').wsStoragePolicyAssignment]" }, "parameters": { - "logAnalyticsResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Deploying Diagnostic Settings to ESLite management groups if Log Analytics was deployed via a loop - "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), empty(parameters('managementSubscriptionId')), equals(parameters('enableLogAnalytics'), 'Yes'))]", + // Assigning Workload Specific Synapse Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsSynapseInitiatives'), 'Yes'), not(empty(parameters('wsSynapseSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[take(concat(variables('mgmtGroupsESLiteArray')[copyIndex()], variables('deploymentNames').diagnosticSettingsforMGsDeploymentName), 64)]", - "scope": "[concat('Microsoft.Management/managementGroups/', variables('mgmtGroupsESLiteArray')[copyIndex()])]", + "name": "[take(concat(variables('deploymentNames').wsSynapseDeploymentName, '-', replace(parameters('wsSynapseSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsSynapseSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + "policyCompletion", + "corpConnectedMoveLzs" ], "copy": { - "name": "mgDiagSettings", - "count": "[length(variables('mgmtGroupsESLiteArray'))]" + "name": "wsSynapsemg", + "count": "[length(parameters('wsSynapseSelectorMG'))]" }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').diagnosticSettingsforManagementGroups]" + "uri": "[variables('deploymentUris').wsSynapsePolicyAssignment]" }, "parameters": { - "logAnalyticsResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" } } } }, { - // Assigning Microsoft Cloud Security Benchmark policy to intermediate root management group if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAsc'), 'Yes')))]", + // Assigning Workload Specific Virtual Desktop Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsVirtualDesktopInitiatives'), 'Yes'), not(empty(parameters('wsVirtualDesktopSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').asbPolicyDeploymentName]", - "scope": "[variables('scopes').eslzRootManagementGroup]", + "name": "[take(concat(variables('deploymentNames').wsVirtualDesktopDeploymentName, '-', replace(parameters('wsVirtualDesktopSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsVirtualDesktopSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + "policyCompletion", + "corpConnectedMoveLzs" ], + "copy": { + "name": "wsVirtualDesktopmg", + "count": "[length(parameters('wsVirtualDesktopSelectorMG'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').asbPolicyInitiative]" + "uri": "[variables('deploymentUris').wsVirtualDesktopPolicyAssignment]" }, - "parameters": {} + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } } }, { @@ -2079,6 +3775,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", @@ -2496,9 +4193,6 @@ "enableAscForArm": { "value": "[parameters('enableAscForArm')]" }, - "enableAscForApis": { - "value": "[parameters('enableAscForApis')]" - }, "enableAscForCspm": { "value": "[parameters('enableAscForCspm')]" }, diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json index 12c98d182b..88ef20467a 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json @@ -23,7 +23,7 @@ }, "variables": { "policyDefinitions": { - "deployEncryptionInTransit": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit')]" + "deployEncryptionInTransit": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509')]" }, "policyAssignmentNames": { "deployEncryptionInTransit": "Enforce-TLS-SSL", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json new file mode 100644 index 0000000000..df50ebb27f --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsCMK": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsCMK": "[concat('Enforce-Encrypt-CMK', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Customer Managed Keys.", + "displayName": "Enforce recommended guardrails for Customer Managed Keys" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Customer Managed Keys.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsCMK))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsCMK]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsCMK]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsCMK)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsCMK), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAPIMPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAPIMPolicyAssignment.json new file mode 100644 index 0000000000..357c0a1aec --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAPIMPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsAPIM": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsAPIM": "[concat('Enforce-GR-APIM', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for API Management.", + "displayName": "Enforce recommended guardrails for API Management" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for API Management.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsAPIM))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsAPIM]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsAPIM]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsAPIM)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsAPIM), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAppServicesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAppServicesPolicyAssignment.json new file mode 100644 index 0000000000..3969cc3787 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAppServicesPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsAppServices": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsAppServices": "[concat('Enforce-GR-AppServices', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for App Services.", + "displayName": "Enforce recommended guardrails for App Services" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for App Services.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsAppServices))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsAppServices]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsAppServices]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsAppServices)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsAppServices), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAutomationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAutomationPolicyAssignment.json new file mode 100644 index 0000000000..d43297d47d --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAutomationPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsAutomation": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsAutomation": "[concat('Enforce-GR-Automation', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Automation Accounts.", + "displayName": "Enforce recommended guardrails for Automation Accounts" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Automation Accounts.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsAutomation))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsAutomation]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsAutomation]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsAutomation)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsAutomation), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCognitiveServicesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCognitiveServicesPolicyAssignment.json new file mode 100644 index 0000000000..891aee217b --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCognitiveServicesPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsCognitiveServices": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsCognitiveServices": "[concat('Enforce-GR-CogServ', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Cognitive Services.", + "displayName": "Enforce recommended guardrails for Cognitive Services" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Cognitive Services.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsCognitiveServices))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsCognitiveServices]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsCognitiveServices]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsCognitiveServices)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsCognitiveServices), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsComputePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsComputePolicyAssignment.json new file mode 100644 index 0000000000..a507d822be --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsComputePolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsCompute": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsCompute": "[concat('Enforce-GR-Compute', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Compute.", + "displayName": "Enforce recommended guardrails for Compute" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Compute.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsCompute))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsCompute]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsCompute]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsCompute)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsCompute), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerAppsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerAppsPolicyAssignment.json new file mode 100644 index 0000000000..8305812e34 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerAppsPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsContainerApps": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsContainerApps": "[concat('Enforce-GR-ContApps', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Container Apps.", + "displayName": "Enforce recommended guardrails for Container Apps" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Container Apps.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsContainerApps))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsContainerApps]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsContainerApps]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsContainerApps)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsContainerApps), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerInstancePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerInstancePolicyAssignment.json new file mode 100644 index 0000000000..90154b263d --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerInstancePolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsContainerInstance": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsContainerInstance": "[concat('Enforce-GR-ContInst', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Container Instance.", + "displayName": "Enforce recommended guardrails for Container Instance" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Container Instance.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsContainerInstance))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsContainerInstance]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsContainerInstance]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsContainerInstance)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsContainerInstance), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerRegistryPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerRegistryPolicyAssignment.json new file mode 100644 index 0000000000..5679741c18 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerRegistryPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsContainerRegistry": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsContainerRegistry": "[concat('Enforce-GR-ContReg', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Container Registry.", + "displayName": "Enforce recommended guardrails for Container Registry" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Container Registry.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsContainerRegistry))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsContainerRegistry]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsContainerRegistry]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsContainerRegistry)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsContainerRegistry), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCosmosDbPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCosmosDbPolicyAssignment.json new file mode 100644 index 0000000000..de4798bbbd --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCosmosDbPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsCosmosDb": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsCosmosDb": "[concat('Enforce-GR-CosmosDb', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Cosmos DB.", + "displayName": "Enforce recommended guardrails for Cosmos DB" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Cosmos DB.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsCosmosDb))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsCosmosDb]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsCosmosDb]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsCosmosDb)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsCosmosDb), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataExplorerPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataExplorerPolicyAssignment.json new file mode 100644 index 0000000000..cac0a40e1f --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataExplorerPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsDataExplorer": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsDataExplorer": "[concat('Enforce-GR-DataExpl', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Data Explorer.", + "displayName": "Enforce recommended guardrails for Data Explorer" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Data Explorer.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsDataExplorer))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsDataExplorer]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsDataExplorer]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsDataExplorer)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsDataExplorer), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataFactoryPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataFactoryPolicyAssignment.json new file mode 100644 index 0000000000..2991f85509 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataFactoryPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsDataFactory": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsDataFactory": "[concat('Enforce-GR-DataFactory', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Data Factory.", + "displayName": "Enforce recommended guardrails for Data Factory" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Data Factory.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsDataFactory))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsDataFactory]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsDataFactory]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsDataFactory)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsDataFactory), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventGridPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventGridPolicyAssignment.json new file mode 100644 index 0000000000..20aa445ca6 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventGridPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsEventGrid": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsEventGrid": "[concat('Enforce-GR-EventGrid', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Event Grid.", + "displayName": "Enforce recommended guardrails for Event Grid" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Event Grid.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsEventGrid))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsEventGrid]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsEventGrid]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsEventGrid)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsEventGrid), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventHubPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventHubPolicyAssignment.json new file mode 100644 index 0000000000..538e190e28 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventHubPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsEventHub": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsEventHub": "[concat('Enforce-GR-EventHub', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Event Hub.", + "displayName": "Enforce recommended guardrails for Event Hub" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Event Hub.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsEventHub))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsEventHub]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsEventHub]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsEventHub)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsEventHub), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultSupPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultSupPolicyAssignment.json new file mode 100644 index 0000000000..00b01aa98d --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultSupPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsKeyVaultSup": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsKeyVaultSup": "[concat('Enforce-GR-KeyVaultSup', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Key Vault Supplementary.", + "displayName": "Enforce recommended guardrails for Key Vault Supplementary" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Key Vault Supplementary.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsKeyVaultSup))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsKeyVaultSup]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsKeyVaultSup]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsKeyVaultSup)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsKeyVaultSup), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKubernetesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKubernetesPolicyAssignment.json new file mode 100644 index 0000000000..06119cf2a8 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKubernetesPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsKubernetes": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsKubernetes": "[concat('Enforce-GR-Kubernetes', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Kubernetes.", + "displayName": "Enforce recommended guardrails for Kubernetes" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Kubernetes.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsKubernetes))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsKubernetes]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsKubernetes]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsKubernetes)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsKubernetes), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMachineLearningPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMachineLearningPolicyAssignment.json new file mode 100644 index 0000000000..15f6121759 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMachineLearningPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsMachineLearning": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsMachineLearning": "[concat('Enforce-GR-MachLearn', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Machine Learning.", + "displayName": "Enforce recommended guardrails for Machine Learning" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Machine Learning.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsMachineLearning))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsMachineLearning]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsMachineLearning]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsMachineLearning)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsMachineLearning), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMySQLPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMySQLPolicyAssignment.json new file mode 100644 index 0000000000..9a4c3f61e6 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMySQLPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsMySQL": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsMySQL": "[concat('Enforce-GR-MySQL', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for MySQL.", + "displayName": "Enforce recommended guardrails for MySQL" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for MySQL.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsMySQL))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsMySQL]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsMySQL]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsMySQL)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsMySQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsNetworkPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsNetworkPolicyAssignment.json new file mode 100644 index 0000000000..8caedd913f --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsNetworkPolicyAssignment.json @@ -0,0 +1,92 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsNetwork": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsNetwork": "[concat('Enforce-GR-Network', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Network and Networking services.", + "displayName": "Enforce recommended guardrails for Network and Networking services" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Network and Networking services.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsNetwork))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsNetwork]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsNetwork]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "ddosPlanResourceId": { + "value": "[parameters('ddosPlanResourceId')]" + } + }, + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsNetwork)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsNetwork), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsOpenAIPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsOpenAIPolicyAssignment.json new file mode 100644 index 0000000000..d8c8a3e443 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsOpenAIPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsOpenAI": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsOpenAI": "[concat('Enforce-GR-OpenAI', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for OpenAI.", + "displayName": "Enforce recommended guardrails for OpenAI" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for OpenAI.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsOpenAI))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsOpenAI]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsOpenAI]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsOpenAI)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsOpenAI), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsPostgreSQLPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsPostgreSQLPolicyAssignment.json new file mode 100644 index 0000000000..620aa456f1 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsPostgreSQLPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsPostgreSQL": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsPostgreSQL": "[concat('Enforce-GR-PostgreSQL', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for PostgreSQL.", + "displayName": "Enforce recommended guardrails for PostgreSQL" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for PostgreSQL.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsPostgreSQL))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsPostgreSQL]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsPostgreSQL]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsPostgreSQL)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsPostgreSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSQLPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSQLPolicyAssignment.json new file mode 100644 index 0000000000..b1f5c74a60 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSQLPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsSQL": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsSQL": "[concat('Enforce-GR-SQL', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for SQL.", + "displayName": "Enforce recommended guardrails for SQL" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for SQL.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsSQL))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsSQL]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsSQL]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsSQL)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsServiceBusPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsServiceBusPolicyAssignment.json new file mode 100644 index 0000000000..235ac1b028 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsServiceBusPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsServiceBus": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsServiceBus": "[concat('Enforce-GR-ServiceBus', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Service Bus.", + "displayName": "Enforce recommended guardrails for Service Bus" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Service Bus.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsServiceBus))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsServiceBus]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsServiceBus]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsServiceBus)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsServiceBus), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json new file mode 100644 index 0000000000..cc2c0ed034 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsStorage": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsStorage": "[concat('Enforce-GR-Storage', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Storage.", + "displayName": "Enforce recommended guardrails for Storage" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Storage.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsStorage))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsStorage]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsStorage]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsStorage)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsStorage), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json new file mode 100644 index 0000000000..ea5f22e79d --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsSynapse": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsSynapse": "[concat('Enforce-GR-Synapse', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Synapse.", + "displayName": "Enforce recommended guardrails for Synapse" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Synapse.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsSynapse))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsSynapse]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsSynapse]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsSynapse)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsSynapse), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json new file mode 100644 index 0000000000..37c9c780e6 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsVirtualDesktop": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsVirtualDesktop": "[concat('Enforce-GR-VirtualDesk', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Virtual Desktop.", + "displayName": "Enforce recommended guardrails for Virtual Desktop" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Virtual Desktop.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsVirtualDesktop))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsVirtualDesktop]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsVirtualDesktop]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsVirtualDesktop)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsVirtualDesktop), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/README.md b/eslzArm/managementGroupTemplates/policyDefinitions/README.md index fb7c585502..d8451e912d 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/README.md +++ b/eslzArm/managementGroupTemplates/policyDefinitions/README.md @@ -1,16 +1,16 @@ -# Information relating to `policies.json` +# Information relating to `policies.json` and `initiatives.json` -The `policies.json` deployment template provides a unified deployment experience for creating all Policy Definitions and Policy Set Definitions (Initiatives) as recommended for the Azure landing zone reference implementation. +The `policies.json` and `initiatives.json` deployment templates provides a unified deployment experience for creating all Policy Definitions and Policy Set Definitions (Initiatives) as recommended for the Azure landing zone reference implementation. -This template is designed to work across the following clouds, ensuring the supported combination of policies are created in the customer environment: +This templates are designed to work across the following clouds, ensuring the supported combination of policies are created in the customer environment: - AzureCloud (Public) - AzureChinaCloud (Azure China / 21Vianet) - AzureUSGovernment (US Government) > **IMPORTANT:** -> Please note that the `policies.json` file located in this directory is programmatically generated and **must not** be manually edited. -> When making changes to policies, please refer to the [policies.bicep](../../../src/templates/policies.bicep) file. +> Please note that the `policies.json` and `initiatives.json` files located in this directory is programmatically generated and **must not** be manually edited. +> When making changes to policies, please refer to the [policies.bicep](../../../src/templates/policies.bicep) and [initiatives.bicep](../../../src/templates/initiatives.bicep) files. *further guidance to follow* diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json new file mode 100644 index 0000000000..33a2875918 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -0,0 +1,245 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "13451262239429884907" + } + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "alz", + "metadata": { + "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!", + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"" + }, + "maxLength": 10 + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optionally set the deployment location for policies with Deploy If Not Exists effect. DEFAULT VALUE = \"deployment().location\"" + } + }, + "scope": { + "type": "string", + "defaultValue": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('topLevelManagementGroupPrefix'))]", + "metadata": { + "description": "Optionally set the scope for custom Policy Definitions used in Policy Set Definitions (Initiatives). Must be one of '/', '/subscriptions/id' or '/providers/Microsoft.Management/managementGroups/id'. DEFAULT VALUE = '/providers/Microsoft.Management/managementGroups/${topLevelManagementGroupPrefix}'" + } + } + }, + "variables": { + "copy": [ + { + "name": "processPolicySetDefinitionsAll", + "count": "[length(variables('loadPolicySetDefinitions').All)]", + "input": "[replace(variables('loadPolicySetDefinitions').All[copyIndex('processPolicySetDefinitionsAll')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "processPolicySetDefinitionsAzureCloud", + "count": "[length(variables('loadPolicySetDefinitions').AzureCloud)]", + "input": "[replace(variables('loadPolicySetDefinitions').AzureCloud[copyIndex('processPolicySetDefinitionsAzureCloud')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "processPolicySetDefinitionsAzureChinaCloud", + "count": "[length(variables('loadPolicySetDefinitions').AzureChinaCloud)]", + "input": "[replace(variables('loadPolicySetDefinitions').AzureChinaCloud[copyIndex('processPolicySetDefinitionsAzureChinaCloud')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "processPolicySetDefinitionsAzureUSGovernment", + "count": "[length(variables('loadPolicySetDefinitions').AzureUSGovernment)]", + "input": "[replace(variables('loadPolicySetDefinitions').AzureUSGovernment[copyIndex('processPolicySetDefinitionsAzureUSGovernment')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "policySetDefinitionsAll", + "count": "[length(variables('processPolicySetDefinitionsAll'))]", + "input": "[json(variables('processPolicySetDefinitionsAll')[copyIndex('policySetDefinitionsAll')])]" + }, + { + "name": "policySetDefinitionsAzureCloud", + "count": "[length(variables('processPolicySetDefinitionsAzureCloud'))]", + "input": "[json(variables('processPolicySetDefinitionsAzureCloud')[copyIndex('policySetDefinitionsAzureCloud')])]" + }, + { + "name": "policySetDefinitionsAzureChinaCloud", + "count": "[length(variables('processPolicySetDefinitionsAzureChinaCloud'))]", + "input": "[json(variables('processPolicySetDefinitionsAzureChinaCloud')[copyIndex('policySetDefinitionsAzureChinaCloud')])]" + }, + { + "name": "policySetDefinitionsAzureUSGovernment", + "count": "[length(variables('processPolicySetDefinitionsAzureUSGovernment'))]", + "input": "[json(variables('processPolicySetDefinitionsAzureUSGovernment')[copyIndex('policySetDefinitionsAzureUSGovernment')])]" + } + ], + "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-UDR\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-UDR\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#3": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-Sftp\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Sftp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#35": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"graphanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Graphana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('graphanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#36": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#37": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#38": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#39": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIdForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIdForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIdForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#4": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-MINTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#40": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#41": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#42": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace\",\n \"description\": \"Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#43": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"CheckLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#44": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#45": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#46": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#47": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#48": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#49": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#5": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#50": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#51": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#52": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#53": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#6": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#7": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#8": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "cloudEnv": "[environment().name]", + "defaultDeploymentLocationByCloudType": { + "AzureCloud": "northeurope", + "AzureChinaCloud": "chinaeast2", + "AzureUSGovernment": "usgovvirginia" + }, + "templateVars": { + "scope": "/providers/Microsoft.Management/managementGroups/contoso", + "defaultDeploymentLocation": "\"location\": \"northeurope\"", + "localizedDeploymentLocation": "[format('\"location\": \"{0}\"', variables('defaultDeploymentLocationByCloudType')[variables('cloudEnv')])]" + }, + "loadPolicySetDefinitions": { + "All": [ + "[variables('$fxv#0')]", + "[variables('$fxv#1')]", + "[variables('$fxv#2')]", + "[variables('$fxv#3')]", + "[variables('$fxv#4')]", + "[variables('$fxv#5')]", + "[variables('$fxv#6')]", + "[variables('$fxv#7')]", + "[variables('$fxv#8')]", + "[variables('$fxv#9')]", + "[variables('$fxv#10')]", + "[variables('$fxv#11')]", + "[variables('$fxv#12')]", + "[variables('$fxv#13')]", + "[variables('$fxv#14')]", + "[variables('$fxv#15')]", + "[variables('$fxv#16')]", + "[variables('$fxv#17')]", + "[variables('$fxv#18')]", + "[variables('$fxv#19')]", + "[variables('$fxv#20')]", + "[variables('$fxv#21')]", + "[variables('$fxv#22')]", + "[variables('$fxv#23')]", + "[variables('$fxv#24')]", + "[variables('$fxv#25')]", + "[variables('$fxv#26')]", + "[variables('$fxv#27')]", + "[variables('$fxv#28')]", + "[variables('$fxv#29')]", + "[variables('$fxv#30')]", + "[variables('$fxv#31')]", + "[variables('$fxv#32')]", + "[variables('$fxv#33')]", + "[variables('$fxv#34')]" + ], + "AzureCloud": [ + "[variables('$fxv#35')]", + "[variables('$fxv#36')]", + "[variables('$fxv#37')]", + "[variables('$fxv#38')]", + "[variables('$fxv#39')]", + "[variables('$fxv#40')]", + "[variables('$fxv#41')]", + "[variables('$fxv#42')]", + "[variables('$fxv#43')]" + ], + "AzureChinaCloud": [ + "[variables('$fxv#44')]", + "[variables('$fxv#45')]", + "[variables('$fxv#46')]", + "[variables('$fxv#47')]", + "[variables('$fxv#48')]" + ], + "AzureUSGovernment": [ + "[variables('$fxv#49')]", + "[variables('$fxv#50')]", + "[variables('$fxv#51')]", + "[variables('$fxv#52')]", + "[variables('$fxv#53')]" + ] + }, + "policySetDefinitionsByCloudType": { + "All": "[variables('policySetDefinitionsAll')]", + "AzureCloud": "[variables('policySetDefinitionsAzureCloud')]", + "AzureChinaCloud": "[variables('policySetDefinitionsAzureChinaCloud')]", + "AzureUSGovernment": "[variables('policySetDefinitionsAzureUSGovernment')]" + }, + "policySetDefinitions": "[concat(variables('policySetDefinitionsByCloudType').All, variables('policySetDefinitionsByCloudType')[variables('cloudEnv')])]" + }, + "resources": [ + { + "copy": { + "name": "PolicySetDefinitions", + "count": "[length(variables('policySetDefinitions'))]" + }, + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2020-09-01", + "name": "[variables('policySetDefinitions')[copyIndex()].name]", + "properties": { + "description": "[variables('policySetDefinitions')[copyIndex()].properties.description]", + "displayName": "[variables('policySetDefinitions')[copyIndex()].properties.displayName]", + "metadata": "[variables('policySetDefinitions')[copyIndex()].properties.metadata]", + "parameters": "[variables('policySetDefinitions')[copyIndex()].properties.parameters]", + "policyType": "[variables('policySetDefinitions')[copyIndex()].properties.policyType]", + "policyDefinitions": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitions]", + "policyDefinitionGroups": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitionGroups]" + } + } + ], + "outputs": { + "policySetDefinitionNames": { + "type": "array", + "copy": { + "count": "[length(variables('policySetDefinitions'))]", + "input": "[variables('policySetDefinitions')[copyIndex()].name]" + } + } + } +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 00dd33afd2..35fbff6d87 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "15624757911252082583" + "templateHash": "5596430806947036060" } }, "parameters": { @@ -55,26 +55,6 @@ "count": "[length(variables('loadPolicyDefinitions').AzureUSGovernment)]", "input": "[replace(replace(variables('loadPolicyDefinitions').AzureUSGovernment[copyIndex('processPolicyDefinitionsAzureUSGovernment')], variables('templateVars').defaultDeploymentLocation, variables('deploymentLocation')), variables('templateVars').localizedDeploymentLocation, variables('deploymentLocation'))]" }, - { - "name": "processPolicySetDefinitionsAll", - "count": "[length(variables('loadPolicySetDefinitions').All)]", - "input": "[replace(variables('loadPolicySetDefinitions').All[copyIndex('processPolicySetDefinitionsAll')], variables('templateVars').scope, parameters('scope'))]" - }, - { - "name": "processPolicySetDefinitionsAzureCloud", - "count": "[length(variables('loadPolicySetDefinitions').AzureCloud)]", - "input": "[replace(variables('loadPolicySetDefinitions').AzureCloud[copyIndex('processPolicySetDefinitionsAzureCloud')], variables('templateVars').scope, parameters('scope'))]" - }, - { - "name": "processPolicySetDefinitionsAzureChinaCloud", - "count": "[length(variables('loadPolicySetDefinitions').AzureChinaCloud)]", - "input": "[replace(variables('loadPolicySetDefinitions').AzureChinaCloud[copyIndex('processPolicySetDefinitionsAzureChinaCloud')], variables('templateVars').scope, parameters('scope'))]" - }, - { - "name": "processPolicySetDefinitionsAzureUSGovernment", - "count": "[length(variables('loadPolicySetDefinitions').AzureUSGovernment)]", - "input": "[replace(variables('loadPolicySetDefinitions').AzureUSGovernment[copyIndex('processPolicySetDefinitionsAzureUSGovernment')], variables('templateVars').scope, parameters('scope'))]" - }, { "name": "policyDefinitionsAll", "count": "[length(variables('processPolicyDefinitionsAll'))]", @@ -94,26 +74,6 @@ "name": "policyDefinitionsAzureUSGovernment", "count": "[length(variables('processPolicyDefinitionsAzureUSGovernment'))]", "input": "[json(variables('processPolicyDefinitionsAzureUSGovernment')[copyIndex('policyDefinitionsAzureUSGovernment')])]" - }, - { - "name": "policySetDefinitionsAll", - "count": "[length(variables('processPolicySetDefinitionsAll'))]", - "input": "[json(variables('processPolicySetDefinitionsAll')[copyIndex('policySetDefinitionsAll')])]" - }, - { - "name": "policySetDefinitionsAzureCloud", - "count": "[length(variables('processPolicySetDefinitionsAzureCloud'))]", - "input": "[json(variables('processPolicySetDefinitionsAzureCloud')[copyIndex('policySetDefinitionsAzureCloud')])]" - }, - { - "name": "policySetDefinitionsAzureChinaCloud", - "count": "[length(variables('processPolicySetDefinitionsAzureChinaCloud'))]", - "input": "[json(variables('processPolicySetDefinitionsAzureChinaCloud')[copyIndex('policySetDefinitionsAzureChinaCloud')])]" - }, - { - "name": "policySetDefinitionsAzureUSGovernment", - "count": "[length(variables('processPolicySetDefinitionsAzureUSGovernment'))]", - "input": "[json(variables('processPolicySetDefinitionsAzureUSGovernment')[copyIndex('policySetDefinitionsAzureUSGovernment')])]" } ], "$fxv#0": "{\n \"name\": \"Append-AppService-httpsonly\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"AppService append enable https only setting to enforce https setting.\",\n \"description\": \"Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"notequals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"value\": true\n }\n ]\n }\n }\n }\n}\n", @@ -137,75 +97,71 @@ "$fxv#114": "{\n \"name\": \"Deploy-MDFC-SQL-AMA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure SQL Virtual Machines to automatically install Azure Monitor Agent\",\n \"description\": \"Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"name\": \"[[concat(field('fullName'), '/AzureMonitorWindowsAgent')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AzureMonitorWindowsAgent\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.Monitor\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"userAssignedManagedIdentity\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"extensionName\": \"AzureMonitorWindowsAgent\",\n \"extensionPublisher\": \"Microsoft.Azure.Monitor\",\n \"extensionType\": \"AzureMonitorWindowsAgent\",\n \"extensionTypeHandlerVersion\": \"1.2\"\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('vmName'), '/', variables('extensionName'))]\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"apiVersion\": \"2023-03-01\",\n \"properties\": {\n \"publisher\": \"[[variables('extensionPublisher')]\",\n \"type\": \"[[variables('extensionType')]\",\n \"typeHandlerVersion\": \"[[variables('extensionTypeHandlerVersion')]\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true,\n \"settings\": {\n \"authentication\": {\n \"managedIdentity\": {\n \"identifier-name\": \"mi_res_id\",\n \"identifier-value\": \"[[parameters('userAssignedManagedIdentity')]\"\n }\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"userAssignedManagedIdentity\": {\n \"value\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName')))]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#115": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace\",\n \"description\": \"Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\",\n \"deployDefenderForSQL\": \"[[concat('deployDefenderForSQL-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDefenderForSQL')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n }\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#116": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(field('fullName'), '/MicrosoftDefenderForSQL')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AdvancedThreatProtection.Windows\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.AzureDefenderForSQL\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"actualLocation\": \"[[if(empty(parameters('workspaceRegion')), parameters('location'), parameters('workspaceRegion'))]\",\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n },\n \"dependsOn\": [\n \"[[extensionResourceId(concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName')), 'Microsoft.Insights/dataCollectionRuleAssociations','MicrosoftDefenderForSQL-RulesAssociation')]\"\n ]\n },\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#117": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#118": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#119": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#117": "{\n \"name\": \"Deny-APIM-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"API Management services should use TLS version 1.2\",\n \"description\": \"Azure API Management service should use TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ApiManagement/service\"\n },\n {\n \"anyOf\": [\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":true')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":true')]\",\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#118": "{\n \"name\": \"Deny-AppGw-Without-Tls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"description\": \"This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"predefinedPolicyName\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Predefined policy name\",\n \"description\": \"Predefined policy name\"\n },\n \"defaultValue\": [\n \"AppGwSslPolicy20220101\",\n \"AppGwSslPolicy20170401S\",\n \"AppGwSslPolicy20220101S\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"notEquals\": \"Predefined\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyName\",\n \"notIn\": \"[[parameters('predefinedPolicyName')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#119": "{\n \"name\": \"Deny-AppService-without-BYOC\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"App Service certificates must be stored in Key Vault\",\n \"description\": \"App Service (including Logic apps and Function apps) must use certificates stored in Key Vault\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/certificates\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultId\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultSecretName\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", "$fxv#12": "{\n \"name\": \"Deny-AppServiceWebApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"app*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#120": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#121": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#122": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#123": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#124": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#125": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#126": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#127": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#128": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#129": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#120": "{\n \"name\": \"Deny-AzFw-Without-Policy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Azure Firewall should have a default Firewall Policy\",\n \"description\": \"This policy denies the creation of Azure Firewall without a default Firewall Policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n {\n \"field\": \"Microsoft.Network/azureFirewalls/firewallPolicy.id\",\n \"exists\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#121": "{\n \"name\": \"Deny-CognitiveServices-NetworkAcls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACLs should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#122": "{\n \"name\": \"Deny-CognitiveServices-Resource-Kinds\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Only explicit kinds for Cognitive Services should be allowed\",\n \"description\": \"Azure Cognitive Services should only create explicit allowed kinds.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedKinds\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Select the allowed resource kinds to be used with Cognitive Services\"\n },\n \"allowedValues\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ],\n \"defaultValue\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"field\": \"kind\",\n \"notIn\": \"[[parameters('allowedKinds')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#123": "{\n \"name\": \"Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Outbound network access should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#124": "{\n \"name\": \"Deny-EH-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces should use a valid TLS version\",\n \"description\": \"Event Hub namespaces should use a valid TLS version.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minTlsVersion\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Minimum TLS Version\",\n \"description\": \"Minimum TLS version to be used by Event Hub\"\n },\n \"defaultValue\": \"1.2\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"notEquals\": \"[[parameters('minTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#125": "{\n \"name\": \"Deny-EH-Premium-CMK\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption\",\n \"description\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/sku.name\",\n \"equals\": \"Premium\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.EventHub/namespaces/encryption.keySource\",\n \"equals\": \"Microsoft.Keyvault\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#126": "{\n \"name\": \"Deny-LogicApp-Public-Network\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic apps should disable public network access\",\n \"description\": \"Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#127": "{\n \"name\": \"Deny-LogicApps-Without-Https\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic app should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#128": "{\n \"name\": \"Deny-Service-Endpoints\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny or Audit service endpoints on subnets\",\n \"description\": \"This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service\",\n \"exists\": true\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#129": "{\n \"name\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should use a container delete retention policy\",\n \"description\": \"Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Container Delete Retention in Days\",\n \"description\": \"Specifies the minimum number of days for the container delete retention policy\"\n },\n \"defaultValue\": 7\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"notEquals\": true\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days\",\n \"less\": \"[[parameters('minContainerDeleteRetentionInDays')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", "$fxv#13": "{\n \"name\": \"Deny-MySql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL database servers enforce SSL connections.\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#130": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#131": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#132": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#133": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#134": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#135": "{\n \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n },\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"defaultValue\": \"True\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"chinaeast2\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"string\"\n },\n \"logsEnabled\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"subscriptionToLa\",\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"location\": \"Global\",\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Administrative\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Security\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ServiceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Alert\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Recommendation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Policy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ResourceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#136": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#137": "{\n \"name\": \"Deploy-MySQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", - "$fxv#138": "{\n \"name\": \"Deploy-PostgreSQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", - "$fxv#139": "{\n \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"privateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"afs\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-afs\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#130": "{\n \"name\": \"Deny-Storage-CopyScope\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Allowed Copy scope should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedCopyScope\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Allowed Copy Scope\",\n \"description\": \"Specify the allowed copy scope.\"\n },\n \"allowedValues\": [\n \"AAD\",\n \"PrivateLink\"\n ],\n \"defaultValue\": \"AAD\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"notEquals\": \"[[parameters('allowedCopyScope')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#131": "{\n \"name\": \"Deny-Storage-CorsRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should restrict CORS rules\",\n \"description\": \"Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/tableServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/queueServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#132": "{\n \"name\": \"Deny-Storage-LocalUser\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Local users should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#133": "{\n \"name\": \"Deny-Storage-NetworkAclsBypass\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACL bypass option should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedBypassOptions\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed Bypass Options\",\n \"description\": \"Specifies which options are allowed to bypass the vnet configuration\"\n },\n \"allowedValues\": [\n \"None\",\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ],\n \"defaultValue\": [\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"notIn\": \"[[parameters('allowedBypassOptions')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#134": "{\n \"name\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Virtual network rules should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#135": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules resource IDs should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\",\n \"where\": {\n \"value\": \"[[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]\",\n \"equals\": \"*\"\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#136": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules Tenants should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId\",\n \"notEquals\": \"[[subscription().tenantId]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#137": "{\n \"name\": \"Deny-Storage-ServicesEncryption\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Encryption for storage services should be enforced for Storage Accounts\",\n \"description\": \"Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#138": "{\n \"name\": \"Deploy-LogicApp-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Logic apps to use the latest TLS version\",\n \"description\": \"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"web\",\n \"existenceCondition\": {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"equals\": \"1.2\"\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"siteName\": {\n \"value\": \"[[field('name')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"siteName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/config\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('siteName'), '/web')]\",\n \"properties\": {\n \"minTlsVersion\": \"1.2\"\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#139": "{\n \"name\": \"Modify-NSG\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of Network Security Groups (NSG)\",\n \"description\": \"This policy enforces the configuration of Network Security Groups (NSG).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"nsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"nsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"nsgRuleDirection\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Inbound\",\n \"Outbound\"\n ],\n \"defaultValue\": \"Outbound\"\n },\n \"nsgRuleAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"nsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"value\": {\n \"name\": \"[[parameters('nsgRuleName')]\",\n \"properties\": {\n \"description\": \"[[parameters('nsgRuleDescription')]\",\n \"protocol\": \"[[parameters('nsgRuleProtocol')]\",\n \"sourcePortRange\": \"[[parameters('nsgRuleSourcePortRange')]\",\n \"destinationPortRange\": \"[[parameters('nsgRuleDestinationPortRange')]\",\n \"sourceAddressPrefix\": \"[[parameters('nsgRuleSourceAddressPrefix')]\",\n \"destinationAddressPrefix\": \"[[parameters('nsgRuleDestinationAddressPrefix')]\",\n \"access\": \"[[parameters('nsgRuleAccess')]\",\n \"priority\": \"[[parameters('nsgRulePriority')]\",\n \"direction\": \"[[parameters('nsgRuleDirection')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#140": "{\n \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID\",\n \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"vault\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"keyvault-privateDnsZone\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Azure-Web\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Web PubSub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone Id\",\n \"description\": \"Private DNS zone to integrate with private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"webpubsub\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-webpubsub-azure-com\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#142": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#143": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#144": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#145": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#146": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#147": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#148": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#149": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#140": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", + "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#142": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#143": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#144": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#145": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#146": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#147": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#15": "{\n \"name\": \"Deny-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny the creation of private DNS\",\n \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#150": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", - "$fxv#151": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#152": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#153": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#154": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"4.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\" : {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\" : {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#155": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#156": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#157": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#158": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIdForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIdForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIdForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#159": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#155": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#156": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#157": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#158": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#159": "{\n \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n },\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"defaultValue\": \"True\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"chinaeast2\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"string\"\n },\n \"logsEnabled\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"subscriptionToLa\",\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"location\": \"Global\",\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Administrative\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Security\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ServiceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Alert\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Recommendation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Policy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ResourceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ]\n }\n }\n }\n }\n}\n", "$fxv#16": "{\n \"name\": \"Deny-PublicEndpoint-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n {\n \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n \"notequals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#160": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#161": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace\",\n \"description\": \"Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#162": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"CheckLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#163": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#164": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#165": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#166": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#167": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#168": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#169": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#160": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#161": "{\n \"name\": \"Deploy-MySQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", + "$fxv#162": "{\n \"name\": \"Deploy-PostgreSQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", + "$fxv#163": "{\n \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"privateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"afs\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-afs\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#164": "{\n \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID\",\n \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"vault\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"keyvault-privateDnsZone\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#165": "{\n \"name\": \"Deploy-Private-DNS-Azure-Web\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Web PubSub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone Id\",\n \"description\": \"Private DNS zone to integrate with private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"webpubsub\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-webpubsub-azure-com\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#166": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#167": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#168": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#17": "{\n \"name\": \"Deny-PublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deny the creation of public IP\",\n \"description\": \"[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/publicIPAddresses\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#170": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#171": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#172": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#18": "{\n \"name\": \"Deny-RDP-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"[Deprecated] RDP access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"Deny-MgmtPorts-From-Internet\",\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"3389\"\n },\n {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\",\n \"equals\": \"true\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"3389\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#19": "{\n \"name\": \"Deny-MgmtPorts-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Management port access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.\",\n \"metadata\": {\n \"version\": \"2.1.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deny-RDP-From-Internet\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ports\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"in\": \"[[parameters('ports')]\"\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notIn\": \"[[parameters('ports')]\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n \"in\": \"[[parameters('ports')]\"\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"notIn\": \"[[parameters('ports')]\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#2": "{\n \"name\": \"Append-KV-SoftDelete\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"KeyVault SoftDelete should be enabled\",\n \"description\": \"This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/enableSoftDelete\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"append\",\n \"details\": [\n {\n \"field\": \"Microsoft.KeyVault/vaults/enableSoftDelete\",\n \"value\": true\n }\n ]\n }\n }\n }\n}\n", "$fxv#20": "{\n \"name\": \"Deny-Redis-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis only secure connections should be enabled\",\n \"description\": \"Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select minumum TLS version for Azure Cache for Redis.\",\n \"description\": \"Select minimum TLS version for Azure Cache for Redis.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#21": "{\n \"name\": \"Deny-Sql-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure SQL Database should have the minimal TLS version set to the highest version\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#22": "{\n \"name\": \"Deny-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version set to the highest version\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#23": "{\n \"name\": \"Deny-Storage-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Storage Account set to minimum TLS and Secure transfer should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"less\": \"2019-04-01\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"exists\": \"false\"\n }\n ]\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#23": "{\n \"name\": \"Deny-Storage-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"[Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"less\": \"2019-04-01\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"exists\": \"false\"\n }\n ]\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#24": "{\n \"name\": \"Deny-Storage-SFTP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Storage Accounts with SFTP enabled should be denied\",\n \"description\": \"This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isSftpEnabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#25": "{\n \"name\": \"Deny-Subnet-Without-Nsg\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets should have a Network Security Group\",\n \"description\": \"This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"GatewaySubnet\",\n \"AzureFirewallSubnet\",\n \"AzureFirewallManagementSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"exists\": \"false\",\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#26": "{\n \"name\": \"Deny-Subnet-Without-Penp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets without Private Endpoint Network Policies enabled should be denied\",\n \"description\": \"This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"GatewaySubnet\",\n \"AzureFirewallSubnet\",\n \"AzureFirewallManagementSubnet\",\n \"AzureBastionSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies\",\n \"notEquals\": \"Enabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", @@ -245,7 +201,7 @@ "$fxv#57": "{\n \"name\": \"Deploy-Diagnostics-EventGridTopic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/topics\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/topics/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DeliveryFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PublishFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-ExpressRoute\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/expressRouteCircuits\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PeeringRouteLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#59": "{\n \"name\": \"Deploy-Diagnostics-Firewall\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics destination type\",\n \"description\": \"Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'\"\n },\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ]\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logAnalyticsDestinationType\": \"[[parameters('logAnalyticsDestinationType')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AzureFirewallApplicationRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AzureFirewallNetworkRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AzureFirewallDnsProxy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNetworkRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWApplicationRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNatRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWThreatIntel\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWIdpsSignature\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWDnsQuery\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFqdnResolveFailure\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWApplicationRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNetworkRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNatRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFatFlow\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFlowTrace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('logAnalyticsDestinationType')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#6": "{\n \"name\": \"Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused Public IP addresses driving cost should be avoided\",\n \"mode\": \"All\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"microsoft.network/publicIpAddresses\"\n },\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/sku.name\",\n \"notEquals\": \"Basic\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/natGateway\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/natGateway')), 0)]\",\n \"equals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/ipConfiguration\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/ipConfiguration')), 0)]\",\n \"equals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/publicIPPrefix\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/publicIPPrefix')), 0)]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#6": "{\n \"name\": \"Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused Public IP addresses driving cost should be avoided\",\n \"mode\": \"All\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"microsoft.network/publicIpAddresses\"\n },\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/publicIPAllocationMethod\",\n \"equals\": \"Static\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/natGateway\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/natGateway')), 0)]\",\n \"equals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/ipConfiguration\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/ipConfiguration')), 0)]\",\n \"equals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/publicIPPrefix\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/publicIPPrefix')), 0)]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", "$fxv#60": "{\n \"name\": \"Deploy-Diagnostics-FrontDoor\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/frontDoors\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/frontDoors/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"FrontdoorAccessLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FrontdoorWebApplicationFirewallLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#61": "{\n \"name\": \"Deploy-Diagnostics-Function\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"value\": \"[[field('kind')]\",\n \"contains\": \"functionapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"FunctionAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#62": "{\n \"name\": \"Deploy-Diagnostics-HDInsight\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HDInsight/clusters\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.HDInsight/clusters/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", @@ -425,9 +381,7 @@ "[variables('$fxv#114')]", "[variables('$fxv#115')]", "[variables('$fxv#116')]", - "[variables('$fxv#117')]" - ], - "AzureCloud": [ + "[variables('$fxv#117')]", "[variables('$fxv#118')]", "[variables('$fxv#119')]", "[variables('$fxv#120')]", @@ -442,9 +396,7 @@ "[variables('$fxv#129')]", "[variables('$fxv#130')]", "[variables('$fxv#131')]", - "[variables('$fxv#132')]" - ], - "AzureChinaCloud": [ + "[variables('$fxv#132')]", "[variables('$fxv#133')]", "[variables('$fxv#134')]", "[variables('$fxv#135')]", @@ -455,14 +407,10 @@ "[variables('$fxv#140')]", "[variables('$fxv#141')]" ], - "AzureUSGovernment": [ + "AzureCloud": [ "[variables('$fxv#142')]", "[variables('$fxv#143')]", - "[variables('$fxv#144')]" - ] - }, - "loadPolicySetDefinitions": { - "All": [ + "[variables('$fxv#144')]", "[variables('$fxv#145')]", "[variables('$fxv#146')]", "[variables('$fxv#147')]", @@ -471,32 +419,26 @@ "[variables('$fxv#150')]", "[variables('$fxv#151')]", "[variables('$fxv#152')]", - "[variables('$fxv#153')]" - ], - "AzureCloud": [ + "[variables('$fxv#153')]", "[variables('$fxv#154')]", "[variables('$fxv#155')]", - "[variables('$fxv#156')]", + "[variables('$fxv#156')]" + ], + "AzureChinaCloud": [ "[variables('$fxv#157')]", "[variables('$fxv#158')]", "[variables('$fxv#159')]", "[variables('$fxv#160')]", "[variables('$fxv#161')]", - "[variables('$fxv#162')]" - ], - "AzureChinaCloud": [ + "[variables('$fxv#162')]", "[variables('$fxv#163')]", "[variables('$fxv#164')]", - "[variables('$fxv#165')]", - "[variables('$fxv#166')]", - "[variables('$fxv#167')]" + "[variables('$fxv#165')]" ], "AzureUSGovernment": [ - "[variables('$fxv#168')]", - "[variables('$fxv#169')]", - "[variables('$fxv#170')]", - "[variables('$fxv#171')]", - "[variables('$fxv#172')]" + "[variables('$fxv#166')]", + "[variables('$fxv#167')]", + "[variables('$fxv#168')]" ] }, "policyDefinitionsByCloudType": { @@ -505,14 +447,7 @@ "AzureChinaCloud": "[variables('policyDefinitionsAzureChinaCloud')]", "AzureUSGovernment": "[variables('policyDefinitionsAzureUSGovernment')]" }, - "policySetDefinitionsByCloudType": { - "All": "[variables('policySetDefinitionsAll')]", - "AzureCloud": "[variables('policySetDefinitionsAzureCloud')]", - "AzureChinaCloud": "[variables('policySetDefinitionsAzureChinaCloud')]", - "AzureUSGovernment": "[variables('policySetDefinitionsAzureUSGovernment')]" - }, - "policyDefinitions": "[concat(variables('policyDefinitionsByCloudType').All, variables('policyDefinitionsByCloudType')[variables('cloudEnv')])]", - "policySetDefinitions": "[concat(variables('policySetDefinitionsByCloudType').All, variables('policySetDefinitionsByCloudType')[variables('cloudEnv')])]" + "policyDefinitions": "[concat(variables('policyDefinitionsByCloudType').All, variables('policyDefinitionsByCloudType')[variables('cloudEnv')])]" }, "resources": [ { @@ -532,27 +467,6 @@ "policyType": "[variables('policyDefinitions')[copyIndex()].properties.policyType]", "policyRule": "[variables('policyDefinitions')[copyIndex()].properties.policyRule]" } - }, - { - "copy": { - "name": "PolicySetDefinitions", - "count": "[length(variables('policySetDefinitions'))]" - }, - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2020-09-01", - "name": "[variables('policySetDefinitions')[copyIndex()].name]", - "properties": { - "description": "[variables('policySetDefinitions')[copyIndex()].properties.description]", - "displayName": "[variables('policySetDefinitions')[copyIndex()].properties.displayName]", - "metadata": "[variables('policySetDefinitions')[copyIndex()].properties.metadata]", - "parameters": "[variables('policySetDefinitions')[copyIndex()].properties.parameters]", - "policyType": "[variables('policySetDefinitions')[copyIndex()].properties.policyType]", - "policyDefinitions": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitions]", - "policyDefinitionGroups": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitionGroups]" - }, - "dependsOn": [ - "PolicyDefinitions" - ] } ], "outputs": { @@ -562,13 +476,6 @@ "count": "[length(variables('policyDefinitions'))]", "input": "[variables('policyDefinitions')[copyIndex()].name]" } - }, - "policySetDefinitionNames": { - "type": "array", - "copy": { - "count": "[length(variables('policySetDefinitions'))]", - "input": "[variables('policySetDefinitions')[copyIndex()].name]" - } } } } \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/mdfcConfiguration.json b/eslzArm/subscriptionTemplates/mdfcConfiguration.json index 73254ec073..8c7273f9ce 100644 --- a/eslzArm/subscriptionTemplates/mdfcConfiguration.json +++ b/eslzArm/subscriptionTemplates/mdfcConfiguration.json @@ -158,7 +158,7 @@ "type": "String", "metadata": { "displayName": "Resource group name", - "description": "The name of the resource group hosting the Log Analytics workspace.", + "description": "The name of the resource group hosting the Log Analytics workspace." } }, "logAnalyticsResourceId": { @@ -604,7 +604,8 @@ "[resourceId('Microsoft.Security/pricings', 'CloudPosture')]" ], "properties": { - "pricingTier": "Standard" + "pricingTier": "Standard", + "subPlan": "P1" } }, { diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json index fd527f0e49..bda95b88d4 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json @@ -9,7 +9,7 @@ "mode": "All", "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cost Optimization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -40,8 +40,8 @@ "equals": "microsoft.network/publicIpAddresses" }, { - "field": "Microsoft.Network/publicIPAddresses/sku.name", - "notEquals": "Basic" + "field": "Microsoft.Network/publicIPAddresses/publicIPAllocationMethod", + "equals": "Static" }, { "anyOf": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS.json new file mode 100644 index 0000000000..e0d3e33ef7 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS.json @@ -0,0 +1,70 @@ +{ + "name": "Deny-APIM-TLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "API Management services should use TLS version 1.2", + "description": "Azure API Management service should use TLS version 1.2", + "metadata": { + "version": "1.0.0", + "category": "API Management", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + { + "anyOf": [ + { + "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\":\"true\"')]", + "greater": 0 + }, + { + "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\":true')]", + "greater": 0 + }, + { + "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\":\"true\"')]", + "greater": 0 + }, + { + "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\":true')]", + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls.json new file mode 100644 index 0000000000..bb0b59e0aa --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls.json @@ -0,0 +1,78 @@ +{ + "name": "Deny-AppGw-Without-Tls", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2", + "description": "This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "predefinedPolicyName": { + "type": "array", + "metadata": { + "displayName": "Predefined policy name", + "description": "Predefined policy name" + }, + "defaultValue": [ + "AppGwSslPolicy20220101", + "AppGwSslPolicy20170401S", + "AppGwSslPolicy20220101S" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyType", + "notEquals": "Predefined" + }, + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyType", + "exists": "false" + }, + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyName", + "notIn": "[[parameters('predefinedPolicyName')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC.json new file mode 100644 index 0000000000..dbad204a06 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-AppService-without-BYOC", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "App Service certificates must be stored in Key Vault", + "description": "App Service (including Logic apps and Function apps) must use certificates stored in Key Vault", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/certificates" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/certificates/keyVaultId", + "exists": "false" + }, + { + "field": "Microsoft.Web/certificates/keyVaultSecretName", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AzFw-Without-Policy.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AzFw-Without-Policy.json new file mode 100644 index 0000000000..62e10290e9 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AzFw-Without-Policy.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-AzFw-Without-Policy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Azure Firewall should have a default Firewall Policy", + "description": "This policy denies the creation of Azure Firewall without a default Firewall Policy.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + { + "field": "Microsoft.Network/azureFirewalls/firewallPolicy.id", + "exists": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls.json new file mode 100644 index 0000000000..eefefd8d7c --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-CognitiveServices-NetworkAcls", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Network ACLs should be restricted for Cognitive Services", + "description": "Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]" + }, + "greater": 0 + }, + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]" + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-Resource-Kinds.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-Resource-Kinds.json new file mode 100644 index 0000000000..e306a69eb0 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-Resource-Kinds.json @@ -0,0 +1,95 @@ +{ + "name": "Deny-CognitiveServices-Resource-Kinds", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Only explicit kinds for Cognitive Services should be allowed", + "description": "Azure Cognitive Services should only create explicit allowed kinds.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedKinds": { + "type": "array", + "metadata": { + "displayName": "Effect", + "description": "Select the allowed resource kinds to be used with Cognitive Services" + }, + "allowedValues": [ + "AnomalyDetector", + "ComputerVision", + "CognitiveServices", + "ContentModerator", + "CustomVision.Training", + "CustomVision.Prediction", + "Face", + "FormRecognizer", + "ImmersiveReader", + "LUIS", + "Personalizer", + "SpeechServices", + "TextAnalytics", + "TextTranslation", + "OpenAI" + ], + "defaultValue": [ + "AnomalyDetector", + "ComputerVision", + "CognitiveServices", + "ContentModerator", + "CustomVision.Training", + "CustomVision.Prediction", + "Face", + "FormRecognizer", + "ImmersiveReader", + "LUIS", + "Personalizer", + "SpeechServices", + "TextAnalytics", + "TextTranslation", + "OpenAI" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "field": "kind", + "notIn": "[[parameters('allowedKinds')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess.json new file mode 100644 index 0000000000..50f1fc531f --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-CognitiveServices-RestrictOutboundNetworkAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Outbound network access should be restricted for Cognitive Services", + "description": "Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "exists": "false" + }, + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS.json new file mode 100644 index 0000000000..7bf5dfbdf9 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS.json @@ -0,0 +1,70 @@ +{ + "name": "Deny-EH-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Event Hub namespaces should use a valid TLS version", + "description": "Event Hub namespaces should use a valid TLS version.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minTlsVersion": { + "type": "string", + "metadata": { + "displayName": "Minimum TLS Version", + "description": "Minimum TLS version to be used by Event Hub" + }, + "defaultValue": "1.2" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", + "notEquals": "[[parameters('minTlsVersion')]" + }, + { + "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK.json new file mode 100644 index 0000000000..0e7c2dac4a --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-EH-Premium-CMK", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Event Hub namespaces (Premium) should use a customer-managed key for encryption", + "description": "Event Hub namespaces (Premium) should use a customer-managed key for encryption.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "field": "Microsoft.EventHub/namespaces/sku.name", + "equals": "Premium" + }, + { + "not": { + "field": "Microsoft.EventHub/namespaces/encryption.keySource", + "equals": "Microsoft.Keyvault" + } + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network.json new file mode 100644 index 0000000000..6160380383 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-LogicApp-Public-Network", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Logic apps should disable public network access", + "description": "Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/sites/publicNetworkAccess", + "exists": "false" + }, + { + "field": "Microsoft.Web/sites/publicNetworkAccess", + "notEquals": "Disabled" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https.json new file mode 100644 index 0000000000..e17b201b29 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-LogicApps-Without-Https", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Logic app should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/sites/httpsOnly", + "exists": "false" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints.json new file mode 100644 index 0000000000..e658b6fe97 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-Service-Endpoints", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny or Audit service endpoints on subnets", + "description": "This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]", + "where": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service", + "exists": true + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy.json new file mode 100644 index 0000000000..e0f3ad0387 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy.json @@ -0,0 +1,74 @@ +{ + "name": "Deny-Storage-ContainerDeleteRetentionPolicy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts should use a container delete retention policy", + "description": "Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minContainerDeleteRetentionInDays": { + "type": "Integer", + "metadata": { + "displayName": "Minimum Container Delete Retention in Days", + "description": "Specifies the minimum number of days for the container delete retention policy" + }, + "defaultValue": 7 + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/blobServices" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled", + "exists": false + }, + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled", + "notEquals": true + }, + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days", + "less": "[[parameters('minContainerDeleteRetentionInDays')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope.json new file mode 100644 index 0000000000..443b0eb6d7 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope.json @@ -0,0 +1,74 @@ +{ + "name": "Deny-Storage-CopyScope", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Allowed Copy scope should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedCopyScope": { + "type": "String", + "metadata": { + "displayName": "Allowed Copy Scope", + "description": "Specify the allowed copy scope." + }, + "allowedValues": [ + "AAD", + "PrivateLink" + ], + "defaultValue": "AAD" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/allowedCopyScope", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/allowedCopyScope", + "notEquals": "[[parameters('allowedCopyScope')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules.json new file mode 100644 index 0000000000..a4b40d50cf --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules.json @@ -0,0 +1,102 @@ +{ + "name": "Deny-Storage-CorsRules", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts should restrict CORS rules", + "description": "Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/blobServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/tableServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/queueServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser.json new file mode 100644 index 0000000000..42af888d40 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-Storage-LocalUser", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Local users should be restricted for Storage Accounts", + "description": "Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/isLocalUserEnabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/isLocalUserEnabled", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass.json new file mode 100644 index 0000000000..d0c7321560 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass.json @@ -0,0 +1,90 @@ +{ + "name": "Deny-Storage-NetworkAclsBypass", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Network ACL bypass option should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedBypassOptions": { + "type": "Array", + "metadata": { + "displayName": "Allowed Bypass Options", + "description": "Specifies which options are allowed to bypass the vnet configuration" + }, + "allowedValues": [ + "None", + "Logging", + "Metrics", + "AzureServices", + "Logging, Metrics", + "Logging, AzureServices", + "Metrics, AzureServices", + "Logging, Metrics, AzureServices", + "Logging, Metrics, AzureServices" + ], + "defaultValue": [ + "Logging", + "Metrics", + "AzureServices", + "Logging, Metrics", + "Logging, AzureServices", + "Metrics, AzureServices", + "Logging, Metrics, AzureServices", + "Logging, Metrics, AzureServices" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass", + "notIn": "[[parameters('allowedBypassOptions')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules.json new file mode 100644 index 0000000000..9c02e4b6ff --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules.json @@ -0,0 +1,56 @@ +{ + "name": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Virtual network rules should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]" + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId.json new file mode 100644 index 0000000000..4e58437968 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-Storage-ResourceAccessRulesResourceId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Resource Access Rules resource IDs should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]" + }, + "greater": 0 + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]", + "where": { + "value": "[[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]", + "equals": "*" + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId.json new file mode 100644 index 0000000000..91197f3ba0 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-Storage-ResourceAccessRulesTenantId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Resource Access Rules Tenants should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]" + }, + "greater": 0 + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId", + "notEquals": "[[subscription().tenantId]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption.json new file mode 100644 index 0000000000..19f5127565 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption.json @@ -0,0 +1,102 @@ +{ + "name": "Deny-Storage-ServicesEncryption", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Encryption for storage services should be enforced for Storage Accounts", + "description": "Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled", + "notEquals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled", + "notEquals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType", + "notEquals": "Account" + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType", + "notEquals": "Account" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS.json index 0c980060a1..af3c967807 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS.json @@ -5,11 +5,13 @@ "scope": null, "properties": { "policyType": "Custom", - "mode": "Indexed", - "displayName": "Storage Account set to minimum TLS and Secure transfer should be enabled", - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "mode": "All", + "displayName": "[Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html", "metadata": { - "version": "1.0.0", + "deprecated": true, + "supersededBy": "fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9", + "version": "1.0.0-deprecated", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS.json new file mode 100644 index 0000000000..9932a32f64 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS.json @@ -0,0 +1,95 @@ +{ + "name": "Deploy-LogicApp-TLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Configure Logic apps to use the latest TLS version", + "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Web/sites/config", + "name": "web", + "existenceCondition": { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "equals": "1.2" + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772" + ], + "deployment": { + "properties": { + "mode": "incremental", + "parameters": { + "siteName": { + "value": "[[field('name')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "siteName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2021-02-01", + "name": "[[concat(parameters('siteName'), '/web')]", + "properties": { + "minTlsVersion": "1.2" + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Modify-NSG.json b/src/resources/Microsoft.Authorization/policyDefinitions/Modify-NSG.json new file mode 100644 index 0000000000..c8c8be1153 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Modify-NSG.json @@ -0,0 +1,129 @@ +{ + "name": "Modify-NSG", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Enforce specific configuration of Network Security Groups (NSG)", + "description": "This policy enforces the configuration of Network Security Groups (NSG).", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Modify", + "Disabled" + ], + "defaultValue": "Modify", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "nsgRuleName": { + "type": "string", + "defaultValue": "DenyAnyInternetOutbound" + }, + "nsgRulePriority": { + "type": "integer", + "defaultValue": 1000 + }, + "nsgRuleDirection": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "defaultValue": "Outbound" + }, + "nsgRuleAccess": { + "type": "string", + "allowedValues": [ + "Allow", + "Deny" + ], + "defaultValue": "Deny" + }, + "nsgRuleProtocol": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleSourceAddressPrefix": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleSourcePortRange": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleDestinationAddressPrefix": { + "type": "string", + "defaultValue": "Internet" + }, + "nsgRuleDestinationPortRange": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleDescription": { + "type": "string", + "defaultValue": "Deny any outbound traffic to the Internet" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]" + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "conflictEffect": "audit", + "operations": [ + { + "operation": "add", + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", + "value": { + "name": "[[parameters('nsgRuleName')]", + "properties": { + "description": "[[parameters('nsgRuleDescription')]", + "protocol": "[[parameters('nsgRuleProtocol')]", + "sourcePortRange": "[[parameters('nsgRuleSourcePortRange')]", + "destinationPortRange": "[[parameters('nsgRuleDestinationPortRange')]", + "sourceAddressPrefix": "[[parameters('nsgRuleSourceAddressPrefix')]", + "destinationAddressPrefix": "[[parameters('nsgRuleDestinationAddressPrefix')]", + "access": "[[parameters('nsgRuleAccess')]", + "priority": "[[parameters('nsgRulePriority')]", + "direction": "[[parameters('nsgRuleDirection')]" + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json b/src/resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json new file mode 100644 index 0000000000..eb698e5d84 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json @@ -0,0 +1,103 @@ +{ + "name": "Modify-UDR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Enforce specific configuration of User-Defined Routes (UDR)", + "description": "This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Modify", + "Disabled" + ], + "defaultValue": "Modify", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.", + "displayName": "Address Prefix" + } + }, + "nextHopType": { + "type": "string", + "metadata": { + "description": "The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.", + "displayName": "Next Hop Type" + }, + "allowedValues": [ + "VnetLocal", + "VirtualNetworkGateway", + "Internet", + "VirtualAppliance", + "None" + ] + }, + "nextHopIpAddress": { + "type": "string", + "metadata": { + "description": "The IP address packets should be forwarded to.", + "displayName": "Next Hop IP Address" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/routeTables" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]" + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "conflictEffect": "audit", + "operations": [ + { + "operation": "add", + "field": "Microsoft.Network/routeTables/routes[*]", + "value": { + "name": "default", + "properties": { + "addressPrefix": "[[parameters('addressPrefix')]", + "nextHopType": "[[parameters('nextHopType')]", + "nextHopIpAddress": "[[parameters('nextHopIpAddress')]" + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json index 037d3756b2..76dff509cb 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json @@ -1,529 +1,973 @@ { - "name": "Deny-PublicPaaSEndpoints", - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "scope": null, - "properties": { - "policyType": "Custom", - "displayName": "Public network access should be disabled for PaaS services", - "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", - "metadata": { - "version": "4.0.0", - "category": "Network", - "source": "https://github.com/Azure/Enterprise-Scale/", - "alzCloudEnvironments": [ - "AzureCloud" - ] - }, - "parameters": { - "CosmosPublicIpDenyEffect": { - "type": "String", + "name": "Deny-PublicPaaSEndpoints", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Public network access should be disabled for PaaS services", + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", "metadata": { - "displayName": "Public network access should be disabled for CosmosDB", - "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + "version": "5.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "KeyVaultPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for KeyVault", - "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "SqlServerPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on Azure SQL Database should be disabled", - "description": "This policy denies creation of Sql servers with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "StoragePublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access onStorage accounts should be disabled", - "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AKSPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on AKS API should be disabled", - "description": "This policy denies the creation of Azure Kubernetes Service non-private clusters" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "ACRPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on Azure Container Registry disabled", - "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AFSPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on Azure File Sync disabled", - "description": "This policy denies the creation of Azure File Sync instances with exposed public endpoints " - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "PostgreSQLFlexPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for PostgreSql Flexible Server", - "description": "This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "MySQLFlexPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for MySQL Flexible Server", - "description": "This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "BatchPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure Batch Instances", - "description": "This policy denies creation of Azure Batch Instances with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "MariaDbPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure MariaDB", - "description": "This policy denies creation of Azure MariaDB with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "MlPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure Machine Learning", - "description": "This policy denies creation of Azure Machine Learning with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "RedisCachePublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure Cache for Redis", - "description": "This policy denies creation of Azure Cache for Redis with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "BotServicePublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Bot Service", - "description": "This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AutomationPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Automation accounts", - "description": "This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AppConfigPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for App Configuration", - "description": "This policy denies creation of App Configuration with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "FunctionPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Function apps", - "description": "This policy denies creation of Function apps with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AsePublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for App Service Environment apps", - "description": "This policy denies creation of App Service Environment apps with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AsPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for App Service apps", - "description": "This policy denies creation of App Service apps with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "ApiManPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for API Management services", - "description": "This policy denies creation of API Management services with exposed public endpoints" - }, - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ], - "defaultValue": "AuditIfNotExists" - }, - "ContainerAppsEnvironmentDenyEffect" : { - "type": "String", - "metadata": { - "displayName": "Container Apps environment should disable public network access", - "description": "This policy denies creation of Container Apps Environment with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AsrVaultDenyEffect" : { - "type": "String", - "metadata": { - "displayName": "Azure Recovery Services vaults should disable public network access", - "description": "This policy denies creation of Azure Recovery Services vaults with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - } - }, - "policyDefinitions": [ - { - "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", - "parameters": { - "effect": { - "value": "[[parameters('CosmosPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b", - "parameters": { - "effect": { - "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", - "parameters": { - "effect": { - "value": "[[parameters('SqlServerPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693", - "parameters": { - "effect": { - "value": "[[parameters('StoragePublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", - "parameters": { - "effect": { - "value": "[[parameters('AKSPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", - "parameters": { - "effect": { - "value": "[[parameters('ACRPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", - "parameters": { - "effect": { - "value": "[[parameters('AFSPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", - "parameters": { - "effect": { - "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "BatchDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", - "parameters": { - "effect": { - "value": "[[parameters('BatchPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MariaDbDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", - "parameters": { - "effect": { - "value": "[[parameters('MariaDbPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MlDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", - "parameters": { - "effect": { - "value": "[[parameters('MlPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "RedisCacheDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663", "parameters": { - "effect": { - "value": "[[parameters('RedisCachePublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "BotServiceDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d", - "parameters": { - "effect": { - "value": "[[parameters('BotServicePublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AutomationDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", - "parameters": { - "effect": { - "value": "[[parameters('AutomationPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AppConfigDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187", - "parameters": { - "effect": { - "value": "[[parameters('AppConfigPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "FunctionDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127", - "parameters": { - "effect": { - "value": "[[parameters('FunctionPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AseDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", - "parameters": { - "effect": { - "value": "[[parameters('AsePublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AsDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba", - "parameters": { - "effect": { - "value": "[[parameters('AsPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "ApiManDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd", - "parameters": { - "effect": { - "value": "[[parameters('ApiManPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "ContainerAppsEnvironmentDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a", - "parameters": { - "effect": { - "value": "[[parameters('ContainerAppsEnvironmentDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AsrVaultDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090", - "parameters": { - "effect": { - "value": "[[parameters('AsrVaultDenyEffect')]" - } - }, - "groupNames": [] - } - ], - "policyDefinitionGroups": null - } + "CosmosPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for CosmosDB", + "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "KeyVaultPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for KeyVault", + "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "SqlServerPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure SQL Database should be disabled", + "description": "This policy denies creation of Sql servers with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "StoragePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access onStorage accounts should be disabled", + "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AKSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on AKS API should be disabled", + "description": "This policy denies the creation of Azure Kubernetes Service non-private clusters" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ACRPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure Container Registry disabled", + "description": "This policy denies the creation of Azure Container Registries with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AFSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure File Sync disabled", + "description": "This policy denies the creation of Azure File Sync instances with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "PostgreSQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSql Flexible Server", + "description": "This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "postgreSqlPublicNetworkAccess": { + "type": "string", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSQL servers", + "description": "This policy denies creation of PostgreSQL DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MySQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for MySQL Flexible Server", + "description": "This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BatchPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Batch Instances", + "description": "This policy denies creation of Azure Batch Instances with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MariaDbPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure MariaDB", + "description": "This policy denies creation of Azure MariaDB with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MlPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Machine Learning", + "description": "This policy denies creation of Azure Machine Learning with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "RedisCachePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Cache for Redis", + "description": "This policy denies creation of Azure Cache for Redis with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BotServicePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Bot Service", + "description": "This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AutomationPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Automation accounts", + "description": "This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AppConfigPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Configuration", + "description": "This policy denies creation of App Configuration with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "FunctionPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Function apps", + "description": "This policy denies creation of Function apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "FunctionAppSlotPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Function apps", + "description": "This policy denies creation of Function apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Service Environment apps", + "description": "This policy denies creation of App Service Environment apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Service apps", + "description": "This policy denies creation of App Service apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ApiManPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for API Management services", + "description": "This policy denies creation of API Management services with exposed public endpoints" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + }, + "ContainerAppsEnvironmentDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Container Apps environment should disable public network access", + "description": "This policy denies creation of Container Apps Environment with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsrVaultDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Azure Recovery Services vaults should disable public network access", + "description": "This policy denies creation of Azure Recovery Services vaults with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "logicAppPublicNetworkAccessEffect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "appSlotsPublicNetworkAccess": { + "type": "string", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "cognitiveSearchPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "managedDiskPublicNetworkAccess": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "containerAppsPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridTopicPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultManagedHsmDisablePublicNetwork": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mySqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsPublicAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapsePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "avdHostPoolPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "avdWorkspacePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "graphanaPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b", + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693", + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-PostgreSql-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BatchDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MariaDbDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "parameters": { + "effect": { + "value": "[[parameters('MariaDbPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MlDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "parameters": { + "effect": { + "value": "[[parameters('MlPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisCacheDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663", + "parameters": { + "effect": { + "value": "[[parameters('RedisCachePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BotServiceDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d", + "parameters": { + "effect": { + "value": "[[parameters('BotServicePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AutomationDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", + "parameters": { + "effect": { + "value": "[[parameters('AutomationPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppConfigDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187", + "parameters": { + "effect": { + "value": "[[parameters('AppConfigPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127", + "parameters": { + "effect": { + "value": "[[parameters('FunctionPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionAppSlotsDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2", + "parameters": { + "effect": { + "value": "[[parameters('FunctionAppSlotPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AseDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", + "parameters": { + "effect": { + "value": "[[parameters('AsePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AsDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba", + "parameters": { + "effect": { + "value": "[[parameters('AsPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ApiManDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd", + "parameters": { + "effect": { + "value": "[[parameters('ApiManPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsEnvironmentDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a", + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsEnvironmentDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1", + "policyDefinitionReferenceId": "Deny-ContainerApps-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionReferenceId": "AsrVaultDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090", + "parameters": { + "effect": { + "value": "[[parameters('AsrVaultDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-LogicApp-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('logicAppPublicNetworkAccessEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622", + "policyDefinitionReferenceId": "Deny-AppSlots-Public", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appSlotsPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3", + "policyDefinitionReferenceId": "Deny-CognitiveSearch-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094", + "policyDefinitionReferenceId": "Deny-ManagedDisk-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('managedDiskPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673", + "policyDefinitionReferenceId": "Deny-ADX-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6", + "policyDefinitionReferenceId": "Deny-Adf-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68", + "policyDefinitionReferenceId": "Deny-EventGrid-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45", + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e", + "policyDefinitionReferenceId": "Deny-EH-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f", + "policyDefinitionReferenceId": "Deny-KV-Hms-PublicNetwork", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmDisablePublicNetwork')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", + "policyDefinitionReferenceId": "Deny-MySql-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mySqlPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13", + "policyDefinitionReferenceId": "Deny-Sb-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDisablePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Public-Endpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", + "policyDefinitionReferenceId": "Deny-Storage-Public-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsPublicAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d", + "policyDefinitionReferenceId": "Deny-Synapse-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapsePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd", + "policyDefinitionReferenceId": "Deny-Workspace-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspacePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334", + "policyDefinitionReferenceId": "Deny-Hostpool-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628", + "policyDefinitionReferenceId": "Deny-Graphana-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('graphanaPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } } \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json index 9dc375a3c9..e957cd0a10 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json @@ -216,6 +216,18 @@ "description": "Select the vulnerability assessment solution to provision to machines." } }, + "enableAscForApis": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, "enableAscForCspm": { "type": "String", "allowedValues": [ @@ -376,6 +388,16 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "defenderForApis", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForApis')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "defenderForCspm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json index 798d4e1101..e62007a4a8 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json @@ -203,18 +203,6 @@ "description": "Select the vulnerability assessment solution to provision to machines." } }, - "enableAscForApis": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, "enableAscForCspm": { "type": "String", "allowedValues": [ @@ -365,16 +353,6 @@ }, "groupNames": [] }, - { - "policyDefinitionReferenceId": "defenderForApis", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6", - "parameters": { - "effect": { - "value": "[[parameters('enableAscForApis')]" - } - }, - "groupNames": [] - }, { "policyDefinitionReferenceId": "defenderForCspm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json index 840c33c8b5..5b8e55e808 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json @@ -1,641 +1,643 @@ { - "name": "Enforce-EncryptTransit", - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "scope": null, - "properties": { - "policyType": "Custom", - "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", - "metadata": { - "version": "2.1.0", - "category": "Encryption", - "source": "https://github.com/Azure/Enterprise-Scale/", - "alzCloudEnvironments": [ - "AzureCloud", - "AzureChinaCloud", - "AzureUSGovernment" - ] - }, - "parameters": { - "AppServiceHttpEffect": { - "type": "String", - "defaultValue": "Append", - "allowedValues": [ - "Append", - "Disabled" - ], - "metadata": { - "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", - "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." - } - }, - "AppServiceTlsVersionEffect": { - "type": "String", - "defaultValue": "Append", - "allowedValues": [ - "Append", - "Disabled" - ], - "metadata": { - "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", - "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." - } - }, - "AppServiceminTlsVersion": { - "type": "String", - "defaultValue": "1.2", - "allowedValues": [ - "1.2", - "1.0", - "1.1" - ], - "metadata": { - "displayName": "App Service. Select version minimum TLS Web App config", - "description": "App Service. Select version minimum TLS version for a Web App config to enforce" - } - }, - "APIAppServiceHttpsEffect": { - "metadata": { - "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", - "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "FunctionLatestTlsEffect": { - "metadata": { - "displayName": "App Service Function App. Latest TLS version should be used in your Function App", - "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." - }, - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ] - }, - "FunctionServiceHttpsEffect": { - "metadata": { - "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", - "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "WebAppServiceLatestTlsEffect": { - "metadata": { - "displayName": "App Service Web App. Latest TLS version should be used in your Web App", - "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." - }, - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ] - }, - "WebAppServiceHttpsEffect": { - "metadata": { - "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", - "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "AKSIngressHttpsOnlyEffect": { - "metadata": { - "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", - "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." - }, - "type": "String", - "defaultValue": "deny", - "allowedValues": [ - "audit", - "deny", - "disabled" - ] - }, - "MySQLEnableSSLDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } - }, - "MySQLEnableSSLEffect": { - "metadata": { - "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", - "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "MySQLminimalTlsVersion": { - "type": "String", - "defaultValue": "TLS1_2", - "allowedValues": [ - "TLS1_2", - "TLS1_0", - "TLS1_1", - "TLSEnforcementDisabled" - ], - "metadata": { - "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", - "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" - } - }, - "PostgreSQLEnableSSLDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } - }, - "PostgreSQLEnableSSLEffect": { - "metadata": { - "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", - "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "PostgreSQLminimalTlsVersion": { - "type": "String", - "defaultValue": "TLS1_2", - "allowedValues": [ - "TLS1_2", - "TLS1_0", - "TLS1_1", - "TLSEnforcementDisabled" - ], - "metadata": { - "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", - "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" - } - }, - "RedisTLSDeployEffect": { - "type": "String", - "defaultValue": "Append", - "allowedValues": [ - "Append", - "Disabled" - ], - "metadata": { - "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } - }, - "RedisMinTlsVersion": { - "type": "String", - "defaultValue": "1.2", - "allowedValues": [ - "1.2", - "1.0", - "1.1" - ], - "metadata": { - "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", - "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" - } - }, - "RedisTLSEffect": { - "metadata": { - "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", - "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, - "SQLManagedInstanceTLSDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", - "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } - }, - "SQLManagedInstanceMinTlsVersion": { - "type": "String", - "defaultValue": "1.2", - "allowedValues": [ - "1.2", - "1.0", - "1.1" - ], - "metadata": { - "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", - "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" - } - }, - "SQLManagedInstanceTLSEffect": { - "metadata": { - "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "SQLServerTLSDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", - "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } - }, - "SQLServerminTlsVersion": { - "type": "String", - "defaultValue": "1.2", - "allowedValues": [ - "1.2", - "1.0", - "1.1" - ], - "metadata": { - "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", - "description": "Select version minimum TLS version for Azure SQL Database to enforce" - } - }, - "SQLServerTLSEffect": { - "metadata": { - "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "StorageDeployHttpsEnabledEffect": { - "metadata": { - "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" - }, - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" + "name": "Enforce-EncryptTransit", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html", + "metadata": { + "version": "2.1.0-deprecated", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Enforce-EncryptTransit_20240509", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" ] }, - "StorageminimumTlsVersion": { - "type": "String", - "defaultValue": "TLS1_2", - "allowedValues": [ - "TLS1_2", - "TLS1_1", - "TLS1_0" - ], - "metadata": { - "displayName": "Storage Account select minimum TLS version", - "description": "Select version minimum TLS version on Azure Storage Account to enforce" - } - }, - "StorageHttpsEnabledEffect": { - "metadata": { - "displayName": "Azure Storage Account. Secure transfer to storage accounts should be enabled", - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, - "ContainerAppsHttpsOnlyEffect": { - "metadata": { - "displayName": "Container Apps should only be accessible over HTTPS", - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." - }, - "type": "String", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - } - }, - "policyDefinitions": [ - { - "policyDefinitionReferenceId": "AppServiceHttpEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", - "parameters": { - "effect": { - "value": "[[parameters('AppServiceHttpEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AppServiceminTlsVersion", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", - "parameters": { - "effect": { - "value": "[[parameters('AppServiceTlsVersionEffect')]" - }, - "minTlsVersion": { - "value": "[[parameters('AppServiceminTlsVersion')]" + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "FunctionLatestTlsEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", - "parameters": { - "effect": { - "value": "[[parameters('FunctionLatestTlsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", - "parameters": { - "effect": { - "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", - "parameters": { - "effect": { - "value": "[[parameters('APIAppServiceHttpsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", - "parameters": { - "effect": { - "value": "[[parameters('FunctionServiceHttpsEffect')]" + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", - "parameters": { - "effect": { - "value": "[[parameters('WebAppServiceHttpsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "parameters": { - "effect": { - "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('MySQLEnableSSLDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('MySQLminimalTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MySQLEnableSSLEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", - "parameters": { - "effect": { - "value": "[[parameters('MySQLEnableSSLEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('MySQLminimalTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLEnableSSLEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "RedisTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('RedisTLSDeployEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('RedisMinTlsVersion')]" + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "RedisdisableNonSslPort", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", - "parameters": { - "effect": { - "value": "[[parameters('RedisTLSDeployEffect')]" + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "RedisDenyhttps", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", - "parameters": { - "effect": { - "value": "[[parameters('RedisTLSEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('RedisMinTlsVersion')]" + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLManagedInstanceTLSEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLServerTLSDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLServerminTlsVersion')]" + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLServerTLSEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLServerTLSEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLServerminTlsVersion')]" + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('StorageHttpsEnabledEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('StorageMinimumTlsVersion')]" + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('StorageMinimumTlsVersion')]" + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" } }, - "groupNames": [] + "StorageHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } }, - { - "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", - "parameters": { - "effect": { - "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" - } - }, - "groupNames": [] - } - ], - "policyDefinitionGroups": null - } -} \ No newline at end of file + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } + } \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json new file mode 100644 index 0000000000..303a749f97 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json @@ -0,0 +1,937 @@ +{ + "name": "Enforce-EncryptTransit_20240509", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "metadata": { + "version": "1.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Enforce-EncryptTransit", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionAppTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Configure Function apps to use the latest TLS version.", + "description": "App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." + }, + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "LogicAppTlsEffect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "logicAppHttpsEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubMinTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedTlsVersion": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlDbTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('FunctionAppTlsEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('LogicAppTlsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", + "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('logicAppHttpsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "policyDefinitionReferenceId": "Deny-AppService-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", + "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", + "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "policyDefinitionReferenceId": "Deny-FunctionApp-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "policyDefinitionReferenceId": "Deny-ContainerApps-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS", + "policyDefinitionReferenceId": "Deny-EH-MINTLS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubMinTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlDbTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "policyDefinitionReferenceId": "Deny-Storage-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseTlsVersion')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json index 2c811717b8..4bd606e7d2 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json @@ -1,364 +1,628 @@ { - "name": "Enforce-Encryption-CMK", - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "scope": null, - "properties": { - "policyType": "Custom", - "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "metadata": { - "version": "2.0.0", - "category": "Encryption", - "source": "https://github.com/Azure/Enterprise-Scale/", - "alzCloudEnvironments": [ - "AzureCloud" - ] - }, - "parameters": { - "ACRCmkEffect": { + "name": "Enforce-Encryption-CMK", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "displayName": "Container registries should be encrypted with a customer-managed key (CMK)", - "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." + "version": "3.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, - "AksCmkEffect": { - "metadata": { - "displayName": "Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys", - "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, - "WorkspaceCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)", - "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk." - } - }, - "CognitiveServicesCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", - "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." - } - }, - "CosmosCMKEffect": { - "type": "String", - "defaultValue": "audit", - "allowedValues": [ - "audit", - "deny", - "disabled" - ], - "metadata": { - "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", - "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." - } - }, - "DataBoxCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", - "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." - } - }, - "StreamAnalyticsCMKEffect": { - "type": "String", - "defaultValue": "audit", - "allowedValues": [ - "audit", - "deny", - "disabled" - ], - "metadata": { - "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data", - "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." - } - }, - "SynapseWorkspaceCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", - "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." - } - }, - "StorageCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled" - ], - "metadata": { - "displayName": "Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption", - "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." - } - }, - "MySQLCMKEffect": { - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Azure MySQL servers bring your own key data protection should be enabled", - "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." - } - }, - "PostgreSQLCMKEffect": { - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Azure PostgreSQL servers bring your own key data protection should be enabled", - "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." - } - }, - "SqlServerTDECMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "SQL servers should use customer-managed keys to encrypt data at rest", - "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." - } - }, - "HealthcareAPIsCMKEffect": { - "type": "String", - "defaultValue": "audit", - "allowedValues": [ - "audit", - "disabled" - ], - "metadata": { - "displayName": "Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest", - "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." - } - }, - "AzureBatchCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "Azure Batch account should use customer-managed keys to encrypt data", - "description": "Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK." - } - }, - "EncryptedVMDisksEffect": { - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Disk encryption should be applied on virtual machines", - "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." - } - } - }, - "policyDefinitions": [ - { - "policyDefinitionReferenceId": "ACRCmkDeny", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", "parameters": { - "effect": { - "value": "[[parameters('ACRCmkEffect')]" - } + "ACRCmkEffect": { + "metadata": { + "displayName": "Container registries should be encrypted with a customer-managed key (CMK)", + "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "AksCmkEffect": { + "metadata": { + "displayName": "Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys", + "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "WorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)", + "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk." + } + }, + "CognitiveServicesCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "CosmosCMKEffect": { + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "DataBoxCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", + "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." + } + }, + "StreamAnalyticsCMKEffect": { + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." + } + }, + "SynapseWorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." + } + }, + "StorageCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption", + "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." + } + }, + "MySQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure MySQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "PostgreSQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure PostgreSQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "SqlServerTDECMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "SQL servers should use customer-managed keys to encrypt data at rest", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." + } + }, + "HealthcareAPIsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "disabled" + ], + "metadata": { + "displayName": "Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest", + "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." + } + }, + "AzureBatchCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Batch account should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK." + } + }, + "EncryptedVMDisksEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Disk encryption should be applied on virtual machines", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." + } + }, + "AutomationAccountCmkEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "BackupCmkEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveSearchCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "osAndDataDiskCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerInstanceCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesCmk": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "eventHubPremiumCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDenyCmk": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlManagedCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageTableCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsEncryptionCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageQueueCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AksCmkDeny", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", - "parameters": { - "effect": { - "value": "[[parameters('AksCmkEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "WorkspaceCMK", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", - "parameters": { - "effect": { - "value": "[[parameters('WorkspaceCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "CognitiveServicesCMK", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", - "parameters": { - "effect": { - "value": "[[parameters('CognitiveServicesCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "CosmosCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", - "parameters": { - "effect": { - "value": "[[parameters('CosmosCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "DataBoxCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", - "parameters": { - "effect": { - "value": "[[parameters('DataBoxCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", - "parameters": { - "effect": { - "value": "[[parameters('StreamAnalyticsCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", - "parameters": { - "effect": { - "value": "[[parameters('SynapseWorkspaceCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StorageCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", - "parameters": { - "effect": { - "value": "[[parameters('StorageCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MySQLCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", - "parameters": { - "effect": { - "value": "[[parameters('MySQLCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "PostgreSQLCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SqlServerTDECMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", - "parameters": { - "effect": { - "value": "[[parameters('SqlServerTDECMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", - "parameters": { - "effect": { - "value": "[[parameters('HealthcareAPIsCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AzureBatchCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", - "parameters": { - "effect": { - "value": "[[parameters('AzureBatchCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "EncryptedVMDisksEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", - "parameters": { - "effect": { - "value": "[[parameters('EncryptedVMDisksEffect')]" - } - }, - "groupNames": [] - } - ], - "policyDefinitionGroups": null - } -} + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "ACRCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AksCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WorkspaceCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CosmosCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataBoxCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerTDECMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AzureBatchCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EncryptedVMDisksEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", + "policyDefinitionReferenceId": "Deny-Aa-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('AutomationAccountCmkEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", + "policyDefinitionReferenceId": "Deny-Backup-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('BackupCmkEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f", + "policyDefinitionReferenceId": "Deny-CognitiveSearch-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", + "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('osAndDataDiskCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", + "policyDefinitionReferenceId": "Deny-ContainerInstance-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", + "policyDefinitionReferenceId": "Deny-ADX-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", + "policyDefinitionReferenceId": "Deny-Adf-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec", + "policyDefinitionReferenceId": "Deny-EH-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK", + "policyDefinitionReferenceId": "Deny-EH-Premium-CMK", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubPremiumCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a", + "policyDefinitionReferenceId": "Deny-Sb-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDenyCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688", + "policyDefinitionReferenceId": "Deny-Storage-Table-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageTableCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", + "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsEncryptionCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef", + "policyDefinitionReferenceId": "Deny-Storage-Queue-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageQueueCmk')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json new file mode 100644 index 0000000000..a995c1ad8a --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json @@ -0,0 +1,234 @@ +{ + "name": "Enforce-Guardrails-APIM", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for API Management", + "description": "This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "API Management", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "apiSubscriptionScope": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "minimumApiVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimSkuVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "apimApiBackendCertValidation": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimDirectApiEndpoint": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimCallApiAuthn": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimEncryptedProtocols": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimVnetUsage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimSecrets": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", + "policyDefinitionReferenceId": "Deny-Apim-without-Kv", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimSecrets')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", + "policyDefinitionReferenceId": "Deny-Apim-without-Vnet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimVnetUsage')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS", + "policyDefinitionReferenceId": "Deny-APIM-TLS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4", + "policyDefinitionReferenceId": "Deny-Apim-Protocols", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimEncryptedProtocols')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54", + "policyDefinitionReferenceId": "Deny-Apim-Authn", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimCallApiAuthn')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4", + "policyDefinitionReferenceId": "Deny-Apim-Direct-Endpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimDirectApiEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4", + "policyDefinitionReferenceId": "Deny-Apim-Cert-Validation", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimApiBackendCertValidation')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2", + "policyDefinitionReferenceId": "Dine-Apim-Public-NetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimDisablePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5", + "policyDefinitionReferenceId": "Deny-Apim-Sku-Vnet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimSkuVnet')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67", + "policyDefinitionReferenceId": "Deny-Apim-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('minimumApiVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1", + "policyDefinitionReferenceId": "Deny-Api-subscription-scope", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apiSubscriptionScope')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json new file mode 100644 index 0000000000..d3e06a85f5 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json @@ -0,0 +1,367 @@ +{ + "name": "Enforce-Guardrails-AppServices", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for App Service", + "description": "This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "functionAppDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceDisableLocalAuth": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceSkuPl": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceDisableLocalAuthFtp": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceRouting": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceScmAuth": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceRfc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsRfc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsVnetRouting": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceEnvLatestVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceByoc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppSlotsModifyHttps": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppHttps": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "functionAppSlotsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC", + "policyDefinitionReferenceId": "Deny-AppService-Byoc", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceByoc')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRemoteDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsRemoteDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a", + "policyDefinitionReferenceId": "Deny-AppService-Latest-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceEnvLatestVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5", + "policyDefinitionReferenceId": "Deny-AppService-Vnet-Routing", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsVnetRouting')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1", + "policyDefinitionReferenceId": "Deny-AppService-Rfc", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceRfc')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222", + "policyDefinitionReferenceId": "Deny-AppServiceApps-Rfc", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRfc')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb", + "policyDefinitionReferenceId": "DINE-FuncApp-Debugging", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79", + "policyDefinitionReferenceId": "DINE-AppService-ScmAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceScmAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4", + "policyDefinitionReferenceId": "Deny-AppServ-Routing", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceRouting')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5", + "policyDefinitionReferenceId": "Deny-AppServ-FtpAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceDisableLocalAuthFtp')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5", + "policyDefinitionReferenceId": "Deny-AppServ-SkuPl", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceSkuPl')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae", + "policyDefinitionReferenceId": "DINE-AppService-LocalAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceDisableLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b", + "policyDefinitionReferenceId": "DINE-AppService-Debugging", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b", + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63", + "policyDefinitionReferenceId": "Modify-AppService-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c", + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c", + "policyDefinitionReferenceId": "Modify-AppService-Apps-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee", + "policyDefinitionReferenceId": "Modify-AppService-App-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json new file mode 100644 index 0000000000..3bcb0f4344 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json @@ -0,0 +1,137 @@ +{ + "name": "Enforce-Guardrails-Automation", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Automation Account", + "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Automation", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "aaModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "aaVariablesEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaManagedIdentity": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "autoHotPatch": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc", + "policyDefinitionReferenceId": "Deny-Windows-Vm-HotPatch", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('autoHotPatch')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0", + "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", + "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaVariablesEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", + "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaModifyLocalAUth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", + "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json new file mode 100644 index 0000000000..ec6838b8d6 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json @@ -0,0 +1,118 @@ +{ + "name": "Enforce-Guardrails-CognitiveServices", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Cognitive Services", + "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cognitiveSearchSku": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveSearchLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyCognitiveSearchLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyCognitiveSearchPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cognitiveServicesModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", + "policyDefinitionReferenceId": "Deny-CognitiveSearch-SKU", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchSku')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91", + "policyDefinitionReferenceId": "Deny-CongitiveSearch-LocalAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75", + "policyDefinitionReferenceId": "Modify-CogntiveSearch-LocalAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyCognitiveSearchLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30", + "policyDefinitionReferenceId": "Modify-CogntiveSearch-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyCognitiveSearchPublicEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c", + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json new file mode 100644 index 0000000000..2d447658fd --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json @@ -0,0 +1,64 @@ +{ + "name": "Enforce-Guardrails-Compute", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Compute", + "description": "This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Compute", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "diskDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vmAndVmssEncryptionHost": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", + "policyDefinitionReferenceId": "Deny-VmAndVmss-Encryption-Host", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('vmAndVmssEncryptionHost')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", + "policyDefinitionReferenceId": "Deny-Disk-Double-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('diskDoubleEncryption')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json new file mode 100644 index 0000000000..55ab33e46a --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json @@ -0,0 +1,64 @@ +{ + "name": "Enforce-Guardrails-ContainerApps", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Apps", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerAppsManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerAppsVnetInjection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb", + "policyDefinitionReferenceId": "Deny-ContainerApp-Vnet-Injection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsVnetInjection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7", + "policyDefinitionReferenceId": "Deny-ContainerApps-Managed-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsManagedIdentity')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json new file mode 100644 index 0000000000..22357be82d --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json @@ -0,0 +1,45 @@ +{ + "name": "Enforce-Guardrails-ContainerInstance", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Instance", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Instances", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerInstanceVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", + "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceVnet')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json new file mode 100644 index 0000000000..a21e7bdc53 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json @@ -0,0 +1,249 @@ +{ + "name": "Enforce-Guardrails-ContainerRegistry", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Registry", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Registry", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerRegistryUnrestrictedNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryRepositoryToken": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyRepositoryToken": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryExports": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryAnAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyAnAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistrySkuPrivateLink": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryArmAudience": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyArmAudience": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Repo-Token", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyRepositoryToken')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Arm-Audience", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryArmAudience')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Arm-Audience", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyArmAudience')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Sku-PrivateLink", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistrySkuPrivateLink')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Anonymous-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyAnAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Anonymous-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryAnAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Exports", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryExports')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Repo-Token", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryRepositoryToken')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Unrestricted-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryUnrestrictedNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json new file mode 100644 index 0000000000..78b5883aab --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json @@ -0,0 +1,124 @@ +{ + "name": "Enforce-Guardrails-CosmosDb", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Cosmos DB", + "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cosmos DB", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cosmosDbLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cosmosDbFwRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cosmosDbAtp": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "cosmosDbModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cosmosDbModifyPublicAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", + "policyDefinitionReferenceId": "Modify-CosmosDb-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656", + "policyDefinitionReferenceId": "Dine-CosmosDb-Atp", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbAtp')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "policyDefinitionReferenceId": "Deny-CosmosDb-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", + "policyDefinitionReferenceId": "Append-CosmosDb-Metadata", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088", + "policyDefinitionReferenceId": "Modify-CosmosDb-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyPublicAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json new file mode 100644 index 0000000000..63dc68ab6d --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-DataExplorer", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Data Explorer", + "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Azure Data Explorer", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "adxEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxSku": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b", + "policyDefinitionReferenceId": "Deny-ADX-Sku-without-PL-Support", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxSku')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1", + "policyDefinitionReferenceId": "Deny-ADX-Double-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", + "policyDefinitionReferenceId": "Deny-ADX-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa", + "policyDefinitionReferenceId": "Modify-ADX-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json new file mode 100644 index 0000000000..1e4ccb20de --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json @@ -0,0 +1,120 @@ +{ + "name": "Enforce-Guardrails-DataFactory", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Data Factory", + "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Data Factory", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "adfSqlIntegration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfLinkedServiceKeyVault": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfGit": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a", + "policyDefinitionReferenceId": "Deny-Adf-Managed-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307", + "policyDefinitionReferenceId": "Deny-Adf-Git", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfGit')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0", + "policyDefinitionReferenceId": "Deny-Adf-Linked-Service-Key-Vault", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfLinkedServiceKeyVault')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952", + "policyDefinitionReferenceId": "Deny-Adf-Sql-Integration", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfSqlIntegration')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7", + "policyDefinitionReferenceId": "Modify-Adf-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json new file mode 100644 index 0000000000..e664afc6e7 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json @@ -0,0 +1,173 @@ +{ + "name": "Enforce-Guardrails-EventGrid", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Event Grid", + "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Event Grid", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "eventGridLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPartnerNamespaceLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPartnerNamespaceModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridTopicLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridTopicModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridDomainModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridDomainModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridTopicModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924", + "policyDefinitionReferenceId": "Modify-EventGrid-Partner-Namespace-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1", + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c", + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04", + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e", + "policyDefinitionReferenceId": "Deny-EventGrid-Partner-Namespace-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridPartnerNamespaceLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd", + "policyDefinitionReferenceId": "Deny-EventGrid-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4", + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172", + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json new file mode 100644 index 0000000000..feaf0a1baf --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-EventHub", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Event Hub", + "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "eventHubAuthRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventHubNamespacesDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c", + "policyDefinitionReferenceId": "Deny-EH-Double-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d", + "policyDefinitionReferenceId": "Modify-EH-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598", + "policyDefinitionReferenceId": "Deny-EH-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7", + "policyDefinitionReferenceId": "Deny-EH-Auth-Rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubAuthRules')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json new file mode 100644 index 0000000000..3c68197a8e --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json @@ -0,0 +1,62 @@ +{ + "name": "Enforce-Guardrails-KeyVault-Sup", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce additional recommended guardrails for Key Vault", + "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "keyVaultManagedHsmDisablePublicNetworkModify": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "keyVaultModifyFw": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456", + "policyDefinitionReferenceId": "Modify-KV-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc", + "policyDefinitionReferenceId": "Modify-KV-Fw", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultModifyFw')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json index 52d3486187..0ae85c071b 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Azure Key Vault", "description": "Enforce recommended guardrails for Azure Key Vault.", "metadata": { - "version": "1.0.0", + "version": "2.0.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -156,6 +156,292 @@ "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." }, "defaultValue": 90 + }, + "keyVaultCheckMinimumRSACertificateSize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultMinimumRSACertificateSizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultManagedHsmCheckMinimumRSAKeySize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultManagedHsmMinimumRSAKeySizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultCheckMinimumRSAKeySize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultMinimumRSAKeySizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultArmRbac": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHmsPurgeProtection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultCertificatesPeriod": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultCertValidPeriod": { + "type": "integer", + "defaultValue": 12 + }, + "keyVaultHmsKeysExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysValidPeriod": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsValidPeriod": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secretsValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keyVaultCertKeyTypes": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultEllipticCurve": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCryptographicType": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysActive": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keysCurveNames": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secretsActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsActive": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultSecretContentType": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultNonIntegratedCa": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultNonIntegratedCaValue": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "The common name of the certificate authority", + "description": "The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso" + } + }, + "keyVaultIntegratedCa": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultIntegratedCaValue": { + "type": "array", + "defaultValue": [ + "DigiCert", + "GlobalSign" + ] + }, + "keyVaultHsmMinimumDaysBeforeExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHsmMinimumDaysBeforeExpirationValue": { + "type": "integer", + "defaultValue": 90 + }, + "keyVaultHmsCurveNames": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHmsCurveNamesValue": { + "type": "array", + "defaultValue": [ + "P-256", + "P-256K", + "P-384", + "P-521" + ] + }, + "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue": { + "type": "integer", + "defaultValue": 90 } }, "policyDefinitions": [ @@ -250,6 +536,255 @@ } }, "groupNames": [] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0", + "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinCertSize", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCheckMinimumRSACertificateSize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultMinimumRSACertificateSizeValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57", + "policyDefinitionReferenceId": "Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9", + "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinKeySize", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultMinimumRSAKeySizeValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5", + "policyDefinitionReferenceId": "Deny-KV-without-ArmRbac", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultArmRbac')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383", + "policyDefinitionReferenceId": "Deny-KV-Hms-PurgeProtection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsPurgeProtection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560", + "policyDefinitionReferenceId": "Deny-KV-Cert-Period", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertificatesPeriod')]" + }, + "maximumValidityInMonths": { + "value": "[[parameters('keyVaultCertValidPeriod')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5", + "policyDefinitionReferenceId": "Deny-KV-Hms-Key-Expire", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsKeysExpiration')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9", + "policyDefinitionReferenceId": "Deny-KV-Keys-Expire", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keysValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysValidityInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f", + "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('secretsValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsValidityInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f", + "policyDefinitionReferenceId": "Deny-KV-Key-Types", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertKeyTypes')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf", + "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultEllipticCurve')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb", + "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCryptographicType')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9", + "policyDefinitionReferenceId": "Deny-KV-Key-Active", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keysActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysActiveInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", + "policyDefinitionReferenceId": "Deny-KV-Curve-Names", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keysCurveNames')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe", + "policyDefinitionReferenceId": "Deny-KV-Secret-ActiveDays", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('secretsActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsActiveInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3", + "policyDefinitionReferenceId": "Deny-Kv-Secret-Content-Type", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultSecretContentType')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341", + "policyDefinitionReferenceId": "Deny-Kv-Non-Integrated-Ca", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultNonIntegratedCa')]" + }, + "caCommonName": { + "value": "[[parameters('keyVaultNonIntegratedCaValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82", + "policyDefinitionReferenceId": "Deny-Kv-Integrated-Ca", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultIntegratedCa')]" + }, + "allowedCAs": { + "value": "[[parameters('keyVaultIntegratedCaValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653", + "policyDefinitionReferenceId": "Deny-Kv-Hsm-MinimumDays-Before-Expiration", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e", + "policyDefinitionReferenceId": "Deny-Kv-Hsm-Curve-Names", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsCurveNames')]" + }, + "allowedECNames": { + "value": "[[parameters('keyVaultHmsCurveNamesValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427", + "policyDefinitionReferenceId": "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]" + }, + "daysToExpire": { + "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]" + } + } } ], "policyDefinitionGroups": null diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json new file mode 100644 index 0000000000..508501d2e2 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json @@ -0,0 +1,326 @@ +{ + "name": "Enforce-Guardrails-Kubernetes", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Kubernetes", + "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Kubernetes", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "aksKms": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "aksCni": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "aksLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivateCluster": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPolicy": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksCommandInvoke": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksReadinessOrLivenessProbes": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivContainers": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivEscalation": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksAllowedCapabilities": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksTempDisk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksInternalLb": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksDefaultNamespace": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksNakedPods": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksShareHostProcessAndNamespace": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksWindowsContainerAdministrator": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75", + "policyDefinitionReferenceId": "Deny-Aks-Windows-Container-Administrator", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksWindowsContainerAdministrator')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", + "policyDefinitionReferenceId": "Deny-Aks-Shared-Host-Process-Namespace", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksShareHostProcessAndNamespace')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581", + "policyDefinitionReferenceId": "Deny-Aks-Naked-Pods", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksNakedPods')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", + "policyDefinitionReferenceId": "Deny-Aks-Default-Namespace", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksDefaultNamespace')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e", + "policyDefinitionReferenceId": "Deny-Aks-Internal-Lb", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksInternalLb')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c", + "policyDefinitionReferenceId": "Deny-Aks-Temp-Disk-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksTempDisk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", + "policyDefinitionReferenceId": "Deny-Aks-Allowed-Capabilities", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksAllowedCapabilities')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "policyDefinitionReferenceId": "Deny-Aks-Priv-Escalation", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivEscalation')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "policyDefinitionReferenceId": "Deny-Aks-Priv-Containers", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivContainers')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915", + "policyDefinitionReferenceId": "Deny-Aks-ReadinessOrLiveness-Probes", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksReadinessOrLivenessProbes')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc", + "policyDefinitionReferenceId": "Dine-Aks-Command-Invoke", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksCommandInvoke')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "policyDefinitionReferenceId": "Dine-Aks-Policy", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksPolicy')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "policyDefinitionReferenceId": "Deny-Aks-Private-Cluster", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivateCluster')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32", + "policyDefinitionReferenceId": "Deny-Aks-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008", + "policyDefinitionReferenceId": "Deny-Aks-Kms", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksKms')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67", + "policyDefinitionReferenceId": "Deny-Aks-Cni", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksCni')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json new file mode 100644 index 0000000000..74d25941c1 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json @@ -0,0 +1,118 @@ +{ + "name": "Enforce-Guardrails-MachineLearning", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Machine Learning", + "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "mlUserAssignedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "mlLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlOutdatedOS": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2", + "policyDefinitionReferenceId": "Deny-ML-Outdated-Os", + "groupNames": [], + "parameters": { + "effects": { + "value": "[[parameters('mlOutdatedOS')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", + "policyDefinitionReferenceId": "Deny-ML-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mlLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512", + "policyDefinitionReferenceId": "Modify-ML-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mlModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78", + "policyDefinitionReferenceId": "Deny-ML-User-Assigned-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mlUserAssignedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f", + "policyDefinitionReferenceId": "Modify-ML-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mlModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json new file mode 100644 index 0000000000..ce2b30161f --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json @@ -0,0 +1,63 @@ +{ + "name": "Enforce-Guardrails-MySQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for MySQL", + "description": "This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "MySQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "mySqlInfraEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mySqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816", + "policyDefinitionReferenceId": "Dine-MySql-Adv-Threat-Protection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mySqlAdvThreatProtection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4", + "policyDefinitionReferenceId": "Deny-MySql-Infra-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mySqlInfraEncryption')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json new file mode 100644 index 0000000000..4c67ef5539 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json @@ -0,0 +1,525 @@ +{ + "name": "Enforce-Guardrails-Network", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Network and Networking services", + "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "subnetUdr": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "subnetNsg": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "subnetServiceEndpoint": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appGwWaf": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vnetModifyDdos": { + "type": "string", + "defaultValue": "Modify" + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "wafMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "wafFwRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeAppGw": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeAppGwRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "denyMgmtFromInternet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "denyMgmtFromInternetPorts": { + "type": "Array", + "metadata": { + "displayName": "Ports", + "description": "Ports to be blocked" + }, + "defaultValue": [ + "22", + "3389" + ] + }, + "afwEnbaleTlsForAllAppRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableTlsInspection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEmptyIDPSBypassList": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableAllIDPSSignatureRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableIDPS": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafAfdEnabled": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vpnAzureAD": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appGwTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyUdr": { + "type": "string", + "defaultValue": "Disabled" + }, + "modifyUdrNextHopIpAddress": { + "type": "string", + "defaultValue": "" + }, + "modifyUdrNextHopType": { + "type": "string", + "defaultValue": "None" + }, + "modifyUdrAddressPrefix": { + "type": "string", + "defaultValue": "0.0.0.0/0" + }, + "modifyNsg": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyNsgRuleName": { + "type": "string", + "defaultValue": "DenyAnyInternetOutbound" + }, + "modifyNsgRulePriority": { + "type": "integer", + "defaultValue": 1000 + }, + "modifyNsgRuleDirection": { + "type": "string", + "defaultValue": "Outbound" + }, + "modifyNsgRuleAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyNsgRuleProtocol": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleSourceAddressPrefix": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleSourcePortRange": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleDestinationAddressPrefix": { + "type": "string", + "defaultValue": "Internet" + }, + "modifyNsgRuleDestinationPortRange": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleDescription": { + "type": "string", + "defaultValue": "Deny any outbound traffic to the Internet" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", + "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", + "policyDefinitionReferenceId": "Deny-VPN-AzureAD", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('vpnAzureAD')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafAfdEnabled')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", + "policyDefinitionReferenceId": "Deny-Waf-IDPS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableIDPS')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", + "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableAllIDPSSignatureRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", + "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEmptyIDPSBypassList')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", + "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableTlsInspection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", + "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnbaleTlsForAllAppRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", + "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafModeAppGw')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeAppGwRequirement')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", + "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", + "policyDefinitionReferenceId": "Deny-Waf-mode", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafMode')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeRequirement')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "policyDefinitionReferenceId": "Modify-vNet-DDoS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('vnetModifyDdos')]" + }, + "ddosPlan": { + "value": "[[parameters('ddosPlanResourceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "policyDefinitionReferenceId": "Deny-Ip-Forwarding", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "policyDefinitionReferenceId": "Deny-vNic-Pip", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appGwWaf')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-UDR", + "policyDefinitionReferenceId": "Deny-Subnet-Without-UDR", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('subnetUdr')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('subnetNsg')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints", + "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('subnetServiceEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", + "policyDefinitionReferenceId": "Deny-Mgmt-From-Internet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('denyMgmtFromInternet')]" + }, + "ports": { + "value": "[[parameters('denyMgmtFromInternetPorts')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appGwTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR", + "policyDefinitionReferenceId": "Modify-Udr", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyUdr')]" + }, + "nextHopIpAddress": { + "value": "[[parameters('modifyUdrNextHopIpAddress')]" + }, + "nextHopType": { + "value": "[[parameters('modifyUdrNextHopType')]" + }, + "addressPrefix": { + "value": "[[parameters('modifyUdrAddressPrefix')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG", + "policyDefinitionReferenceId": "Modify-Nsg", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyNsg')]" + }, + "nsgRuleName": { + "value": "[[parameters('modifyNsgRuleName')]" + }, + "nsgRulePriority": { + "value": "[[parameters('modifyNsgRulePriority')]" + }, + "nsgRuleDirection": { + "value": "[[parameters('modifyNsgRuleDirection')]" + }, + "nsgRuleAccess": { + "value": "[[parameters('modifyNsgRuleAccess')]" + }, + "nsgRuleProtocol": { + "value": "[[parameters('modifyNsgRuleProtocol')]" + }, + "nsgRuleSourceAddressPrefix": { + "value": "[[parameters('modifyNsgRuleSourceAddressPrefix')]" + }, + "nsgRuleSourcePortRange": { + "value": "[[parameters('modifyNsgRuleSourcePortRange')]" + }, + "nsgRuleDestinationAddressPrefix": { + "value": "[[parameters('modifyNsgRuleDestinationAddressPrefix')]" + }, + "nsgRuleDestinationPortRange": { + "value": "[[parameters('modifyNsgRuleDestinationPortRange')]" + }, + "nsgRuleDescription": { + "value": "[[parameters('modifyNsgRuleDescription')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json new file mode 100644 index 0000000000..06d322be64 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json @@ -0,0 +1,139 @@ +{ + "name": "Enforce-Guardrails-OpenAI", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", + "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cognitiveServicesOutboundNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesNetworkAcls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesModifyDisableLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cognitiveServicesDisableLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesCustomerStorage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess", + "policyDefinitionReferenceId": "Deny-OpenAi-OutboundNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesOutboundNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls", + "policyDefinitionReferenceId": "Deny-OpenAi-NetworkAcls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAcls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesDisableLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Cust-Storage", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCustomerStorage')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyDisableLocalAuth')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json new file mode 100644 index 0000000000..484292f11d --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json @@ -0,0 +1,44 @@ +{ + "name": "Enforce-Guardrails-PostgreSQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for PostgreSQL", + "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "postgreSqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", + "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlAdvThreatProtection')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json new file mode 100644 index 0000000000..5fb82b190f --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json @@ -0,0 +1,106 @@ +{ + "name": "Enforce-Guardrails-SQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for SQL and SQL Managed Instance", + "description": "This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "sqlManagedAadOnly": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlAadOnly": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "modifySqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd", + "policyDefinitionReferenceId": "Dine-Sql-Managed-Defender", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedDefender')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", + "policyDefinitionReferenceId": "Deny-Sql-Aad-Only", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlAadOnly')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Aad-Only", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedAadOnly')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", + "policyDefinitionReferenceId": "Dine-Sql-Adv-Data", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b", + "policyDefinitionReferenceId": "Modify-Sql-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifySqlPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json new file mode 100644 index 0000000000..79b30ef808 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-ServiceBus", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Service Bus", + "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Service Bus", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "serviceBusModifyDisableLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "serviceBusDenyDisabledLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusAuthzRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", + "policyDefinitionReferenceId": "Deny-Sb-Authz-Rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusAuthzRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b", + "policyDefinitionReferenceId": "Deny-Sb-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af", + "policyDefinitionReferenceId": "Deny-Sb-LocalAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDenyDisabledLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e", + "policyDefinitionReferenceId": "Modify-Sb-LocalAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusModifyDisableLocalAuth')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json new file mode 100644 index 0000000000..81fe23c337 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json @@ -0,0 +1,463 @@ +{ + "name": "Enforce-Guardrails-Storage", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Storage Account", + "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "storageKeysExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountRestrictNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "storageClassicToArm": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsInfraEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountSharedKey": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsCrossTenant": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsCopyScope": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsAllowedCopyScope": { + "type": "string", + "defaultValue": "AAD" + }, + "storageServicesEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageLocalUser": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageSftp": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageNetworkAclsBypass": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAllowedNetworkAclsBypass": { + "type": "array", + "defaultValue": [ + "None" + ] + }, + "storageResourceAccessRulesTenantId": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageResourceAccessRulesResourceId": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageNetworkAclsVirtualNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageContainerDeleteRetentionPolicy": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageMinContainerDeleteRetentionInDays": { + "type": "Integer", + "defaultValue": 7 + }, + "storageCorsRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyStorageFileSyncPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyStorageAccountPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "storageAccountsModifyDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope", + "policyDefinitionReferenceId": "Deny-Storage-CopyScope", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsCopyScope')]" + }, + "allowedCopyScope": { + "value": "[[parameters('storageAccountsAllowedCopyScope')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption", + "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageServicesEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser", + "policyDefinitionReferenceId": "Deny-Storage-LocalUser", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageLocalUser')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-Sftp", + "policyDefinitionReferenceId": "Deny-Storage-Sftp", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageSftp')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass", + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageNetworkAclsBypass')]" + }, + "allowedBypassOptions": { + "value": "[[parameters('storageAllowedNetworkAclsBypass')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId", + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageResourceAccessRulesTenantId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId", + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageResourceAccessRulesResourceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules", + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageNetworkAclsVirtualNetworkRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy", + "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageContainerDeleteRetentionPolicy')]" + }, + "minContainerDeleteRetentionInDays": { + "value": "[[parameters('storageMinContainerDeleteRetentionInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules", + "policyDefinitionReferenceId": "Deny-Storage-CorsRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageCorsRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d", + "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", + "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsCrossTenant')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", + "policyDefinitionReferenceId": "Deny-Storage-Shared-Key", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountSharedKey')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a", + "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsInfraEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", + "policyDefinitionReferenceId": "Deny-Storage-Classic", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageClassicToArm')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c", + "policyDefinitionReferenceId": "Dine-Storage-Threat-Protection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageThreatProtection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountRestrictNetworkRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", + "policyDefinitionReferenceId": "Deny-Storage-NetworkRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountNetworkRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", + "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageKeysExpiration')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b", + "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyStorageFileSyncPublicEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", + "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyStorageAccountPublicEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d", + "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json new file mode 100644 index 0000000000..7ba4b798e0 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json @@ -0,0 +1,202 @@ +{ + "name": "Enforce-Guardrails-Synapse", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Synapse workspaces", + "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Synapse", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "synapseLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseManagedVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseDataTraffic": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTenants": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseAllowedTenantIds": { + "type": "array", + "defaultValue": [ + "[[subscription().tenantId]" + ] + }, + "synapseFwRules": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "synapseDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "synapseModifyTlsVersion": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "synapseModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6", + "policyDefinitionReferenceId": "Dine-Synapse-Defender", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseDefender')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c", + "policyDefinitionReferenceId": "Modify-Synapse-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8", + "policyDefinitionReferenceId": "Deny-Synapse-Fw-Rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0", + "policyDefinitionReferenceId": "Deny-Synapse-Tenant-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseTenants')]" + }, + "allowedTenantIds": { + "value": "[[parameters('synapseAllowedTenantIds')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218", + "policyDefinitionReferenceId": "Deny-Synapse-Data-Traffic", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseDataTraffic')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650", + "policyDefinitionReferenceId": "Deny-Synapse-Managed-Vnet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseManagedVnet')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", + "policyDefinitionReferenceId": "Deny-Synapse-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140", + "policyDefinitionReferenceId": "Modify-Synapse-Tls-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a", + "policyDefinitionReferenceId": "Modify-Synapse-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json new file mode 100644 index 0000000000..33564dda5f --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json @@ -0,0 +1,62 @@ +{ + "name": "Enforce-Guardrails-VirtualDesktop", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Virtual Desktop", + "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "avdWorkspaceModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "avdHostPoolModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f", + "policyDefinitionReferenceId": "Modify-Workspace-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspaceModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d", + "policyDefinitionReferenceId": "Modify-Hostpool-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep new file mode 100644 index 0000000000..4f47402d4a --- /dev/null +++ b/src/templates/initiatives.bicep @@ -0,0 +1,142 @@ +targetScope = 'managementGroup' + +@metadata({ message: 'The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!' }) +@description('Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = "alz"') +@maxLength(10) +param topLevelManagementGroupPrefix string = 'alz' + +@description('Optionally set the deployment location for policies with Deploy If Not Exists effect. DEFAULT VALUE = "deployment().location"') +param location string = deployment().location + +@description('Optionally set the scope for custom Policy Definitions used in Policy Set Definitions (Initiatives). Must be one of \'/\', \'/subscriptions/id\' or \'/providers/Microsoft.Management/managementGroups/id\'. DEFAULT VALUE = \'/providers/Microsoft.Management/managementGroups/\${topLevelManagementGroupPrefix}\'') +param scope string = tenantResourceId('Microsoft.Management/managementGroups', topLevelManagementGroupPrefix) + +// Extract the environment name to dynamically determine which policies to deploy. +var cloudEnv = environment().name + +// Default deployment locations used in templates +var defaultDeploymentLocationByCloudType = { + AzureCloud: 'northeurope' + AzureChinaCloud: 'chinaeast2' + AzureUSGovernment: 'usgovvirginia' +} + +// Used to identify template variables used in the templates for replacement. +var templateVars = { + scope: '/providers/Microsoft.Management/managementGroups/contoso' + defaultDeploymentLocation: '"location": "northeurope"' + localizedDeploymentLocation: '"location": "${defaultDeploymentLocationByCloudType[cloudEnv]}"' +} + +// The following var contains lists of files containing Policy Set Definition (Initiative) resources to load, grouped by compatibility with Cloud. +// To get a full list of Azure clouds, use the az cli command "az cloud list --output table" +// We use loadTextContent instead of loadJsonContent as this allows us to perform string replacement operations against the imported templates. +var loadPolicySetDefinitions = { + All: [ + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json') // FSI specific initiative + ] + AzureCloud: [ + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json') // Unable to validate if Guest Configuration is working in other clouds + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json') // Unable to validate if all Azure Site Recovery features are working in other clouds + ] + AzureChinaCloud: [ + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json') // Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 74c30959-af11-47b3-9ed2-a26e03f427a3, 1f725891-01c0-420a-9059-4fa46cb770b7, 2370a3c1-4a25-4283-a91a-c9c1a145fb2f, b7021b2b-08fd-4dc0-9de7-3c6ece09faf9, b99b73e7-074b-4089-9395-b7236f094491) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (051cba44-2429-45b9-9649-46cec11c7119), and replacement custom Policy Definitions ("Deploy-MySQLCMKEffect", "Deploy-PostgreSQLCMKEffect") + ] + AzureUSGovernment: [ + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (5e1de0e3-42cb-4ebc-a86d-61d0c619ca48, c9299215-ae47-4f50-9c54-8a392f68a052) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureUSGovernment.json') // Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 1f725891-01c0-420a-9059-4fa46cb770b7) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (0b026355-49cb-467b-8ac4-f777874e175a) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (83cef61d-dbd1-4b20-a4fc-5fbc7da10833, 18adea5e-f416-4d0f-8aa8-d24321e3e274, 051cba44-2429-45b9-9649-46cec11c7119) + ] +} + +// The following vars are used to manipulate the imported Policy Set Definitions to replace Policy Definition scope values +var processPolicySetDefinitionsAll = [for content in loadPolicySetDefinitions.All: replace(content, templateVars.scope, scope)] +var processPolicySetDefinitionsAzureCloud = [for content in loadPolicySetDefinitions.AzureCloud: replace(content, templateVars.scope, scope)] +var processPolicySetDefinitionsAzureChinaCloud = [for content in loadPolicySetDefinitions.AzureChinaCloud: replace(content, templateVars.scope, scope)] +var processPolicySetDefinitionsAzureUSGovernment = [for content in loadPolicySetDefinitions.AzureUSGovernment: replace(content, templateVars.scope, scope)] + +// The following vars are used to convert the imported Policy Set Definitions into objects from JSON +var policySetDefinitionsAll = [for content in processPolicySetDefinitionsAll: json(content)] +var policySetDefinitionsAzureCloud = [for content in processPolicySetDefinitionsAzureCloud: json(content)] +var policySetDefinitionsAzureChinaCloud = [for content in processPolicySetDefinitionsAzureChinaCloud: json(content)] +var policySetDefinitionsAzureUSGovernment = [for content in processPolicySetDefinitionsAzureUSGovernment: json(content)] + +// The following var is used to compile the required Policy Definitions into a single object +var policySetDefinitionsByCloudType = { + All: policySetDefinitionsAll + AzureCloud: policySetDefinitionsAzureCloud + AzureChinaCloud: policySetDefinitionsAzureChinaCloud + AzureUSGovernment: policySetDefinitionsAzureUSGovernment +} + +// The following var is used to extract the Policy Set Definitions into a single list for deployment +// This will contain all policy set definitions classified as available for All cloud environments, and those for the current cloud environment +var policySetDefinitions = concat(policySetDefinitionsByCloudType.All, policySetDefinitionsByCloudType[cloudEnv]) + +// Create the Policy Definitions as needed for the target cloud environment +// Depends on Policy Definitons to ensure they exist before creating dependent Policy Set Definitions (Initiatives) +resource PolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = [for policy in policySetDefinitions: { + // dependsOn: [ + // PolicyDefinitions + // ] + name: policy.name + properties: { + description: policy.properties.description + displayName: policy.properties.displayName + metadata: policy.properties.metadata + parameters: policy.properties.parameters + policyType: policy.properties.policyType + policyDefinitions: policy.properties.policyDefinitions + policyDefinitionGroups: policy.properties.policyDefinitionGroups + } +}] + +// output policyDefinitionNames array = [for policy in policyDefinitions: policy.name] +output policySetDefinitionNames array = [for policy in policySetDefinitions: policy.name] diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep index cc7dc4cca1..e2ec8a9d91 100644 --- a/src/templates/policies.bicep +++ b/src/templates/policies.bicep @@ -36,33 +36,6 @@ var targetDeploymentLocationByCloudType = { var deploymentLocation = '"location": "${targetDeploymentLocationByCloudType[cloudEnv]}"' -// Unable to do the following commented out approach due to the error "The value must be a compile-time constant.bicep(BCP032)" -// See: https://github.com/Azure/bicep/issues/3816#issuecomment-1191230215 - -// The following vars are used to load the list of Policy Definitions to import -// var listPolicyDefinitionsAll = loadJsonContent('../data/policyDefinitions.All.json') -// var listPolicyDefinitionsAzureCloud = loadJsonContent('../data/policyDefinitions.AzureCloud.json') -// var listPolicyDefinitionsAzureChinaCloud = loadJsonContent('../data/policyDefinitions.AzureChinaCloud.json') -// var listPolicyDefinitionsAzureUSGovernment = loadJsonContent('../data/policyDefinitions.AzureUSGovernment.json') - -// The following vars are used to load the list of Policy Set Definitions to import -// var listPolicySetDefinitionsAll = loadJsonContent('../data/policySetDefinitions.All.json') -// var listPolicySetDefinitionsAzureCloud = loadJsonContent('../data/policySetDefinitions.AzureCloud.json') -// var listPolicySetDefinitionsAzureChinaCloud = loadJsonContent('../data/policySetDefinitions.AzureChinaCloud.json') -// var listPolicySetDefinitionsAzureUSGovernment = loadJsonContent('../data/policySetDefinitions.AzureUSGovernment.json') - -// The following vars are used to load the list of Policy Definitions to import -// var loadPolicyDefinitionsAll = [for item in listPolicyDefinitionsAll: loadTextContent(item)] -// var loadPolicyDefinitionsAzureCloud = [for item in listPolicyDefinitionsAzureCloud: loadTextContent(item)] -// var loadPolicyDefinitionsAzureChinaCloud = [for item in listPolicyDefinitionsAzureChinaCloud: loadTextContent(item)] -// var loadPolicyDefinitionsAzureUSGovernment = [for item in listPolicyDefinitionsAzureUSGovernment: loadTextContent(item)] - -// The following vars are used to load the list of Policy Set Definitions to import -// var loadPolicySetDefinitionsAll = [for item in listPolicySetDefinitionsAll: loadTextContent(item)] -// var loadPolicySetDefinitionsAzureCloud = [for item in listPolicySetDefinitionsAzureCloud: loadTextContent(item)] -// var loadPolicySetDefinitionsAzureChinaCloud = [for item in listPolicySetDefinitionsAzureChinaCloud: loadTextContent(item)] -// var loadPolicySetDefinitionsAzureUSGovernment = [for item in listPolicySetDefinitionsAzureUSGovernment: loadTextContent(item)] - // The following var contains lists of files containing Policy Definition resources to load, grouped by compatibility with Cloud. // To get a full list of Azure clouds, use the az cli command "az cloud list --output table" // We use loadTextContent instead of loadJsonContent as this allows us to perform string replacement operations against the imported templates. @@ -185,6 +158,30 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AzFw-Without-Policy.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-Resource-Kinds.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Modify-NSG.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json') // FSI specific policy loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json') ] AzureCloud: [ @@ -222,48 +219,6 @@ var loadPolicyDefinitions = { ] } -// The following var contains lists of files containing Policy Set Definition (Initiative) resources to load, grouped by compatibility with Cloud. -// To get a full list of Azure clouds, use the az cli command "az cloud list --output table" -// We use loadTextContent instead of loadJsonContent as this allows us to perform string replacement operations against the imported templates. -var loadPolicySetDefinitions = { - All: [ - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json') - ] - AzureCloud: [ - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json') // Unable to validate if Guest Configuration is working in other clouds - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json') // Unable to validate if all Azure Site Recovery features are working in other clouds - ] - AzureChinaCloud: [ - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json') // Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 74c30959-af11-47b3-9ed2-a26e03f427a3, 1f725891-01c0-420a-9059-4fa46cb770b7, 2370a3c1-4a25-4283-a91a-c9c1a145fb2f, b7021b2b-08fd-4dc0-9de7-3c6ece09faf9, b99b73e7-074b-4089-9395-b7236f094491) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (051cba44-2429-45b9-9649-46cec11c7119), and replacement custom Policy Definitions ("Deploy-MySQLCMKEffect", "Deploy-PostgreSQLCMKEffect") - ] - AzureUSGovernment: [ - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (5e1de0e3-42cb-4ebc-a86d-61d0c619ca48, c9299215-ae47-4f50-9c54-8a392f68a052) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureUSGovernment.json') // Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 1f725891-01c0-420a-9059-4fa46cb770b7) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (0b026355-49cb-467b-8ac4-f777874e175a) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (83cef61d-dbd1-4b20-a4fc-5fbc7da10833, 18adea5e-f416-4d0f-8aa8-d24321e3e274, 051cba44-2429-45b9-9649-46cec11c7119) - ] -} - // The following vars are used to manipulate the imported Policy Definitions to replace deployment location values // Needs a double replace to handle updates in both templates for All clouds, and localized templates var processPolicyDefinitionsAll = [for content in loadPolicyDefinitions.All: replace(replace(content, templateVars.defaultDeploymentLocation, deploymentLocation), templateVars.localizedDeploymentLocation, deploymentLocation)] @@ -271,11 +226,6 @@ var processPolicyDefinitionsAzureCloud = [for content in loadPolicyDefinitions.A var processPolicyDefinitionsAzureChinaCloud = [for content in loadPolicyDefinitions.AzureChinaCloud: replace(replace(content, templateVars.defaultDeploymentLocation, deploymentLocation), templateVars.localizedDeploymentLocation, deploymentLocation)] var processPolicyDefinitionsAzureUSGovernment = [for content in loadPolicyDefinitions.AzureUSGovernment: replace(replace(content, templateVars.defaultDeploymentLocation, deploymentLocation), templateVars.localizedDeploymentLocation, deploymentLocation)] -// The following vars are used to manipulate the imported Policy Set Definitions to replace Policy Definition scope values -var processPolicySetDefinitionsAll = [for content in loadPolicySetDefinitions.All: replace(content, templateVars.scope, scope)] -var processPolicySetDefinitionsAzureCloud = [for content in loadPolicySetDefinitions.AzureCloud: replace(content, templateVars.scope, scope)] -var processPolicySetDefinitionsAzureChinaCloud = [for content in loadPolicySetDefinitions.AzureChinaCloud: replace(content, templateVars.scope, scope)] -var processPolicySetDefinitionsAzureUSGovernment = [for content in loadPolicySetDefinitions.AzureUSGovernment: replace(content, templateVars.scope, scope)] // The following vars are used to convert the imported Policy Definitions into objects from JSON var policyDefinitionsAll = [for content in processPolicyDefinitionsAll: json(content)] @@ -283,11 +233,6 @@ var policyDefinitionsAzureCloud = [for content in processPolicyDefinitionsAzureC var policyDefinitionsAzureChinaCloud = [for content in processPolicyDefinitionsAzureChinaCloud: json(content)] var policyDefinitionsAzureUSGovernment = [for content in processPolicyDefinitionsAzureUSGovernment: json(content)] -// The following vars are used to convert the imported Policy Set Definitions into objects from JSON -var policySetDefinitionsAll = [for content in processPolicySetDefinitionsAll: json(content)] -var policySetDefinitionsAzureCloud = [for content in processPolicySetDefinitionsAzureCloud: json(content)] -var policySetDefinitionsAzureChinaCloud = [for content in processPolicySetDefinitionsAzureChinaCloud: json(content)] -var policySetDefinitionsAzureUSGovernment = [for content in processPolicySetDefinitionsAzureUSGovernment: json(content)] // The following var is used to compile the required Policy Definitions into a single object var policyDefinitionsByCloudType = { @@ -297,22 +242,10 @@ var policyDefinitionsByCloudType = { AzureUSGovernment: policyDefinitionsAzureUSGovernment } -// The following var is used to compile the required Policy Definitions into a single object -var policySetDefinitionsByCloudType = { - All: policySetDefinitionsAll - AzureCloud: policySetDefinitionsAzureCloud - AzureChinaCloud: policySetDefinitionsAzureChinaCloud - AzureUSGovernment: policySetDefinitionsAzureUSGovernment -} - // The following var is used to extract the Policy Definitions into a single list for deployment // This will contain all policy definitions classified as available for All cloud environments, and those for the current cloud environment var policyDefinitions = concat(policyDefinitionsByCloudType.All, policyDefinitionsByCloudType[cloudEnv]) -// The following var is used to extract the Policy Set Definitions into a single list for deployment -// This will contain all policy set definitions classified as available for All cloud environments, and those for the current cloud environment -var policySetDefinitions = concat(policySetDefinitionsByCloudType.All, policySetDefinitionsByCloudType[cloudEnv]) - // Create the Policy Definitions as needed for the target cloud environment resource PolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2020-09-01' = [for policy in policyDefinitions: { name: policy.name @@ -327,23 +260,4 @@ resource PolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2020-09-01 } }] -// Create the Policy Definitions as needed for the target cloud environment -// Depends on Policy Definitons to ensure they exist before creating dependent Policy Set Definitions (Initiatives) -resource PolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = [for policy in policySetDefinitions: { - dependsOn: [ - PolicyDefinitions - ] - name: policy.name - properties: { - description: policy.properties.description - displayName: policy.properties.displayName - metadata: policy.properties.metadata - parameters: policy.properties.parameters - policyType: policy.properties.policyType - policyDefinitions: policy.properties.policyDefinitions - policyDefinitionGroups: policy.properties.policyDefinitionGroups - } -}] - output policyDefinitionNames array = [for policy in policyDefinitions: policy.name] -output policySetDefinitionNames array = [for policy in policySetDefinitions: policy.name]