diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json index d3cc25a6f..fcd0af1cd 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json @@ -10,13 +10,20 @@ "Deny-Subnet-Without-Nsg", "Deploy-AKS-Policy", "Deploy-AzSqlDb-Auditing", + "Deploy-MDFC-DefSQL-AMA", "Deploy-SQL-TDE", "Deploy-SQL-Threat", "Deploy-VM-Backup", + "Deploy-VM-ChangeTrack", + "Deploy-VM-Monitoring", + "Deploy-vmArc-ChangeTrack", + "Deploy-VMSS-ChangeTrack", + "Deploy-VMSS-Monitoring", + "Enable-AUM-CheckUpdates", "Enable-DDoS-VNET", "Enforce-AKS-HTTPS", "Enforce-GR-KeyVault", - "Enforce-TLS-SSL" + "Enforce-TLS-SSL-H224" ], "policy_definitions": [], "policy_set_definitions": [], diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json index 7beae4b5b..75b238b36 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json @@ -1,6 +1,14 @@ { "es_platform": { "policy_assignments": [ + "DenyAction-Resource-Del", + "Deploy-MDFC-DefSQL-AMA", + "Deploy-VM-ChangeTrack", + "Deploy-VM-Monitoring", + "Deploy-vmArc-ChangeTrack", + "Deploy-VMSS-ChangeTrack", + "Deploy-VMSS-Monitoring", + "Enable-AUM-CheckUpdates", "Enforce-GR-KeyVault" ], "policy_definitions": [], diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json index c0bb3dcc2..6465987e3 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json @@ -1,18 +1,20 @@ { "es_root": { "policy_assignments": [ + "Audit-ResourceRGLocation", + "Audit-TrustedLaunch", "Audit-UnusedResources", + "Audit-ZoneResiliency", "Deny-Classic-Resources", "Deny-UnmanagedDisk", "Deploy-ASC-Monitoring", "Deploy-AzActivity-Log", + "Deploy-Diag-Logs", "Deploy-MDEndpoints", - "Deploy-MDFC-Config", + "Deploy-MDEndpointsAMA", + "Deploy-MDFC-Config-H224", "Deploy-MDFC-OssDb", "Deploy-MDFC-SqlAtp", - "Deploy-Resource-Diag", - "Deploy-VM-Monitoring", - "Deploy-VMSS-Monitoring", "Enforce-ACSB" ], "policy_definitions": [ @@ -28,17 +30,28 @@ "Audit-PublicIpAddresses-UnusedResourcesCostOptimization", "Audit-ServerFarms-UnusedResourcesCostOptimization", "Deny-AA-child-resources", + "Deny-APIM-TLS", + "Deny-AppGw-Without-Tls", "Deny-AppGW-Without-WAF", + "Deny-AppService-without-BYOC", "Deny-AppServiceApiApp-http", "Deny-AppServiceFunctionApp-http", "Deny-AppServiceWebApp-http", + "Deny-AzFw-Without-Policy", + "Deny-CognitiveServices-NetworkAcls", + "Deny-CognitiveServices-Resource-Kinds", + "Deny-CognitiveServices-RestrictOutboundNetworkAccess", "Deny-Databricks-NoPublicIp", "Deny-Databricks-Sku", "Deny-Databricks-VirtualNetwork", + "Deny-EH-minTLS", + "Deny-EH-Premium-CMK", "Deny-FileServices-InsecureAuth", "Deny-FileServices-InsecureKerberos", "Deny-FileServices-InsecureSmbChannel", "Deny-FileServices-InsecureSmbVersions", + "Deny-LogicApp-Public-Network", + "Deny-LogicApps-Without-Https", "Deny-MachineLearning-Aks", "Deny-MachineLearning-Compute-SubnetId", "Deny-MachineLearning-Compute-VmSize", @@ -55,9 +68,19 @@ "Deny-PublicIP", "Deny-RDP-From-Internet", "Deny-Redis-http", + "Deny-Service-Endpoints", "Deny-Sql-minTLS", "Deny-SqlMi-minTLS", + "Deny-Storage-ContainerDeleteRetentionPolicy", + "Deny-Storage-CopyScope", + "Deny-Storage-CorsRules", + "Deny-Storage-LocalUser", "Deny-Storage-minTLS", + "Deny-Storage-NetworkAclsBypass", + "Deny-Storage-NetworkAclsVirtualNetworkRules", + "Deny-Storage-ResourceAccessRulesResourceId", + "Deny-Storage-ResourceAccessRulesTenantId", + "Deny-Storage-ServicesEncryption", "Deny-Storage-SFTP", "Deny-StorageAccount-CustomDomain", "Deny-Subnet-Without-Nsg", @@ -127,10 +150,17 @@ "Deploy-Diagnostics-WVDHostPools", "Deploy-Diagnostics-WVDWorkspace", "Deploy-FirewallPolicy", + "Deploy-LogicApp-TLS", + "Deploy-MDFC-Arc-SQL-DCR-Association", + "Deploy-MDFC-Arc-Sql-DefenderSQL-DCR", + "Deploy-MDFC-SQL-AMA", + "Deploy-MDFC-SQL-DefenderSQL-DCR", + "Deploy-MDFC-SQL-DefenderSQL", "Deploy-MySQL-sslEnforcement", "Deploy-Nsg-FlowLogs-to-LA", "Deploy-Nsg-FlowLogs", "Deploy-PostgreSQL-sslEnforcement", + "Deploy-Private-DNS-Generic", "Deploy-Sql-AuditingSettings", "Deploy-SQL-minTLS", "Deploy-Sql-SecurityAlertPolicies", @@ -139,24 +169,59 @@ "Deploy-Sql-vulnerabilityAssessments", "Deploy-SqlMi-minTLS", "Deploy-Storage-sslEnforcement", + "Deploy-UserAssignedManagedIdentity-VMInsights", "Deploy-Vm-autoShutdown", "Deploy-VNET-HubSpoke", - "Deploy-Windows-DomainJoin" + "Deploy-Windows-DomainJoin", + "Modify-NSG", + "Modify-UDR" ], "policy_set_definitions": [ + "Audit-TrustedLaunch", "Audit-UnusedResourcesCostOptimization", "Deny-PublicPaaSEndpoints", "DenyAction-DeleteProtection", + "Deploy-AUM-CheckUpdates", "Deploy-Diagnostics-LogAnalytics", + "Deploy-MDFC-Config_20240319", "Deploy-MDFC-Config", + "Deploy-MDFC-DefenderSQL-AMA", "Deploy-Private-DNS-Zones", + "Deploy-Sql-Security_20240529", "Deploy-Sql-Security", "Enforce-ACSB", "Enforce-ALZ-Decomm", "Enforce-ALZ-Sandbox", + "Enforce-Backup", "Enforce-Encryption-CMK", + "Enforce-EncryptTransit_20240509", "Enforce-EncryptTransit", - "Enforce-Guardrails-KeyVault" + "Enforce-Guardrails-APIM", + "Enforce-Guardrails-AppServices", + "Enforce-Guardrails-Automation", + "Enforce-Guardrails-CognitiveServices", + "Enforce-Guardrails-Compute", + "Enforce-Guardrails-ContainerApps", + "Enforce-Guardrails-ContainerInstance", + "Enforce-Guardrails-ContainerRegistry", + "Enforce-Guardrails-CosmosDb", + "Enforce-Guardrails-DataExplorer", + "Enforce-Guardrails-DataFactory", + "Enforce-Guardrails-EventGrid", + "Enforce-Guardrails-EventHub", + "Enforce-Guardrails-KeyVault-Sup", + "Enforce-Guardrails-KeyVault", + "Enforce-Guardrails-Kubernetes", + "Enforce-Guardrails-MachineLearning", + "Enforce-Guardrails-MySQL", + "Enforce-Guardrails-Network", + "Enforce-Guardrails-OpenAI", + "Enforce-Guardrails-PostgreSQL", + "Enforce-Guardrails-ServiceBus", + "Enforce-Guardrails-SQL", + "Enforce-Guardrails-Storage", + "Enforce-Guardrails-Synapse", + "Enforce-Guardrails-VirtualDesktop" ], "role_definitions": [ "Network-Subnet-Contributor", diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json index e2ae50c5f..0f497ceda 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json @@ -33,7 +33,7 @@ "privatelink.azurestaticapps.net", "privatelink.azuresynapse.net", "privatelink.azurewebsites.net", - "privatelink.${connectivity_location}.batch.azure.com", + "privatelink.batch.azure.com", "privatelink.blob.core.windows.net", "privatelink.cassandra.cosmos.azure.com", "privatelink.cognitiveservices.azure.com", diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json new file mode 100644 index 000000000..2fde061f2 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json @@ -0,0 +1,24 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Audit-ResourceRGLocation", + "dependsOn": [], + "properties": { + "description": "Resource Group and Resource locations should match.", + "displayName": "Resource Group and Resource locations should match", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Resources {enforcementMode} be deployed in the same region as the Resource Group." + } + ], + "parameters": {}, + "scope": "${current_scope_resource_id}", + "notScopes": [] + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json new file mode 100644 index 000000000..0da4e80b1 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json @@ -0,0 +1,28 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Audit-TrustedLaunch", + "location": "${default_location}", + "dependsOn": [], + "properties": { + "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", + "displayName": "Audit virtual machines for Trusted Launch support", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Trust Launch {enforcementMode} be used on supported virtual machines for enhanced security." + } + ], + "parameters": { + "effect": { + "value": "Audit" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + }, + "identity": { + "type": "None" + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json new file mode 100644 index 000000000..8178f23db --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json @@ -0,0 +1,31 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Audit-ZoneResiliency", + "dependsOn": [], + "properties": { + "description": "Resources should be Zone Resilient.", + "displayName": "Resources should be Zone Resilient", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Resources {enforcementMode} be Zone Resilient." + } + ], + "parameters": { + "effect": { + "value": "Audit" + }, + "allow": { + "value": "Both" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_denyaction_resource_del.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_denyaction_resource_del.tmpl.json new file mode 100644 index 000000000..1b4295252 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_denyaction_resource_del.tmpl.json @@ -0,0 +1,26 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "DenyAction-Resource-Del", + "dependsOn": [], + "properties": { + "description": "This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.", + "displayName": "Do not allow deletion of resource types", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78460a36-508a-49a4-b2b2-2f5ec564f4bb", + "enforcementMode": "Default", + "parameters": { + "effect": { + "value": "DenyAction" + }, + "listOfResourceTypesDisallowedForDeletion": { + "value": [] + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logs.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logs.tmpl.json new file mode 100644 index 000000000..2be65c4bf --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logs.tmpl.json @@ -0,0 +1,28 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-Diag-Logs", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.", + "displayName": "Enable allLogs category group resource logging for supported resources to Log Analytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Diagnostic settings {enforcementMode} be deployed to Azure services to forward logs to Log Analytics." + } + ], + "parameters": { + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json new file mode 100644 index 000000000..ee9a51225 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json @@ -0,0 +1,24 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-MDEndpointsAMA", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.", + "displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Microsoft Defender for Endpoint {enforcementMode} be deployed." + } + ], + "parameters": {}, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h224.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h224.tmpl.json new file mode 100644 index 000000000..90510c8b4 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h224.tmpl.json @@ -0,0 +1,73 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-MDFC-Config-H224", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy Microsoft Defender for Cloud and Security Contacts", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Microsoft Defender for Cloud and Security Contacts {enforcementMode} be deployed." + } + ], + "parameters": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la" + }, + "ascExportResourceGroupName": { + "value": "${root_scope_id}-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${default_location}" + }, + "enableAscForServers": { + "value": "Disabled" + }, + "enableAscForServersVulnerabilityAssessments": { + "value": "Disabled" + }, + "enableAscForSql": { + "value": "Disabled" + }, + "enableAscForAppServices": { + "value": "Disabled" + }, + "enableAscForStorage": { + "value": "Disabled" + }, + "enableAscForContainers": { + "value": "Disabled" + }, + "enableAscForKeyVault": { + "value": "Disabled" + }, + "enableAscForSqlOnVm": { + "value": "Disabled" + }, + "enableAscForArm": { + "value": "Disabled" + }, + "enableAscForOssDb": { + "value": "Disabled" + }, + "enableAscForCosmosDbs": { + "value": "Disabled" + }, + "enableAscForCspm": { + "value": "Disabled" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json new file mode 100644 index 000000000..f09719dd9 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json @@ -0,0 +1,46 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-MDFC-DefSQL-AMA", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations).", + "displayName": "Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Microsoft Defender for SQL {enforcementMode} be deployed." + } + ], + "parameters": { + "workspaceRegion": { + "value": "${default_location}" + }, + "userWorkspaceResourceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la" + }, + "bringYourOwnDcr": { + "value": true + }, + "dcrResourceId": { + "value": "${azure_monitor_data_collection_rule_sql_resource_id}" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": false + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": true + }, + "userAssignedIdentityResourceId": { + "value": "${user_assigned_managed_identity_resource_id}" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index 4857fa193..d36017ea9 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -121,7 +121,7 @@ "value": "${private_dns_zone_prefix}privatelink.webpubsub.azure.com" }, "azureBatchPrivateDnsZoneId": { - "value": "${private_dns_zone_prefix}privatelink.${connectivity_location}.batch.azure.com" + "value": "${private_dns_zone_prefix}privatelink.batch.azure.com" }, "azureAppPrivateDnsZoneId": { "value": "${private_dns_zone_prefix}privatelink.azconfig.io" @@ -168,11 +168,56 @@ "azureMachineLearningWorkspacePrivateDnsZoneId": { "value": "${private_dns_zone_prefix}privatelink.api.azureml.ms" }, + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.notebooks.azure.net" + }, "azureServiceBusNamespacePrivateDnsZoneId": { "value": "${private_dns_zone_prefix}privatelink.servicebus.windows.net" }, "azureCognitiveSearchPrivateDnsZoneId": { "value": "${private_dns_zone_prefix}privatelink.search.windows.net" + }, + "azureBotServicePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.directline.botframework.com" + }, + "azureManagedGrafanaWorkspacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.grafana.azure.com" + }, + "azureVirtualDesktopHostpoolPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.wvd.microsoft.com" + }, + "azureVirtualDesktopWorkspacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.wvd.microsoft.com" + }, + "azureIotDeviceupdatePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azure-devices.net" + }, + "azureArcGuestconfigurationPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.guestconfiguration.azure.com" + }, + "azureArcHybridResourceProviderPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.his.arc.azure.com" + }, + "azureArcKubernetesConfigurationPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.dp.kubernetesconfiguration.azure.com" + }, + "azureIotCentralPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azureiotcentral.com" + }, + "azureStorageTablePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.table.core.windows.net" + }, + "azureStorageTableSecondaryPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.table.core.windows.net" + }, + "azureSiteRecoveryBackupPrivateDnsZoneID": { + "value": "${private_dns_zone_prefix}privatelink.${connectivity_location_short}.backup.windowsazure.com" + }, + "azureSiteRecoveryBlobPrivateDnsZoneID": { + "value": "${private_dns_zone_prefix}privatelink.blob.core.windows.net" + }, + "azureSiteRecoveryQueuePrivateDnsZoneID": { + "value": "${private_dns_zone_prefix}privatelink.queue.core.windows.net" } }, "scope": "${current_scope_resource_id}", diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json new file mode 100644 index 000000000..0833b7cba --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json @@ -0,0 +1,40 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-VM-ChangeTrack", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", + "displayName": "Enable ChangeTracking and Inventory for virtual machines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Change Tracking {enforcementMode} be enabled for Virtual Machines." + } + ], + "parameters": { + "dcrResourceId": { + "value": "${azure_monitor_data_collection_rule_change_tracking_resource_id}" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": true + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": false + }, + "userAssignedIdentityResourceId": { + "value": "${user_assigned_managed_identity_resource_id}" + }, + "effect": { + "value": "DeployIfNotExists" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json index edc9d09b3..e96534245 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json @@ -10,7 +10,7 @@ "properties": { "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", "displayName": "Enable Azure Monitor for VMs", - "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6", "enforcementMode": "Default", "nonComplianceMessages": [ { @@ -18,8 +18,23 @@ } ], "parameters": { - "logAnalytics_1": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la" + "dcrResourceId": { + "value": "${azure_monitor_data_collection_rule_vm_insights_resource_id}" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": true + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": false + }, + "userAssignedIdentityResourceId": { + "value": "${user_assigned_managed_identity_resource_id}" + }, + "enableProcessesAndDependencies": { + "value": true + }, + "scopeToSupportedImages": { + "value": false } }, "scope": "${current_scope_resource_id}", diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json new file mode 100644 index 000000000..3a710dcf6 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json @@ -0,0 +1,31 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-vmArc-ChangeTrack", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations.", + "displayName": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Change Tracking {enforcementMode} be enabled for Arc-enabled Virtual Machines." + } + ], + "parameters": { + "dcrResourceId": { + "value": "${azure_monitor_data_collection_rule_change_tracking_resource_id}" + }, + "effect": { + "value": "DeployIfNotExists" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json new file mode 100644 index 000000000..868d85566 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json @@ -0,0 +1,40 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-VMSS-ChangeTrack", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", + "displayName": "Enable ChangeTracking and Inventory for virtual machine scale sets", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Change Tracking {enforcementMode} be enabled for Virtual Machines Scales Sets." + } + ], + "parameters": { + "dcrResourceId": { + "value": "${azure_monitor_data_collection_rule_change_tracking_resource_id}" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": true + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": false + }, + "userAssignedIdentityResourceId": { + "value": "${user_assigned_managed_identity_resource_id}" + }, + "effect": { + "value": "DeployIfNotExists" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json index eb94d8871..4fd83c85e 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json @@ -10,7 +10,7 @@ "properties": { "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", - "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485", "enforcementMode": "Default", "nonComplianceMessages": [ { @@ -18,8 +18,23 @@ } ], "parameters": { - "logAnalytics_1": { - "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la" + "dcrResourceId": { + "value": "${azure_monitor_data_collection_rule_vm_insights_resource_id}" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": true + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": false + }, + "userAssignedIdentityResourceId": { + "value": "${user_assigned_managed_identity_resource_id}" + }, + "enableProcessesAndDependencies": { + "value": true + }, + "scopeToSupportedImages": { + "value": false } }, "scope": "${current_scope_resource_id}", diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_aum_checkupdates.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_aum_checkupdates.tmpl.json new file mode 100644 index 000000000..8e460d3dc --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_aum_checkupdates.tmpl.json @@ -0,0 +1,37 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Enable-AUM-CheckUpdates", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", + "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Periodic checking of missing updates {enforcementMode} be enabled." + } + ], + "parameters": { + "assessmentMode": { + "value": "AutomaticByPlatform" + }, + "locations": { + "value": [] + }, + "tagValues": { + "value": {} + }, + "tagOperator": { + "value": "Any" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl_h224.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl_h224.tmpl.json new file mode 100644 index 000000000..b1a0b2954 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl_h224.tmpl.json @@ -0,0 +1,24 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Enforce-TLS-SSL-H224", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "TLS and SSL {enforcementMode} be enabled for on resources without encryption in transit." + } + ], + "parameters": {}, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_privatelinkdnszones.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_privatelinkdnszones.json index b23924b95..e63ca602b 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_privatelinkdnszones.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_privatelinkdnszones.json @@ -6,10 +6,10 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Audit the creation of Private Link Private DNS Zones", - "description": "This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "displayName": "Audit or Deny the creation of Private Link Private DNS Zones", + "description": "This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", "metadata": { - "version": "1.0.1", + "version": "1.0.2", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_publicipaddresses_unusedresourcescostoptimization.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_publicipaddresses_unusedresourcescostoptimization.json index ac9b4f183..e4012c01b 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_publicipaddresses_unusedresourcescostoptimization.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_publicipaddresses_unusedresourcescostoptimization.json @@ -9,7 +9,7 @@ "displayName": "Unused Public IP addresses driving cost should be avoided", "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cost Optimization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -40,8 +40,8 @@ "equals": "microsoft.network/publicIpAddresses" }, { - "field": "Microsoft.Network/publicIPAddresses/sku.name", - "notEquals": "Basic" + "field": "Microsoft.Network/publicIPAddresses/publicIPAllocationMethod", + "equals": "Static" }, { "anyOf": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_apim_tls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_apim_tls.json new file mode 100644 index 000000000..8becabff3 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_apim_tls.json @@ -0,0 +1,70 @@ +{ + "name": "Deny-APIM-TLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "API Management services should use TLS version 1.2", + "description": "Azure API Management service should use TLS version 1.2", + "metadata": { + "version": "1.0.0", + "category": "API Management", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + { + "anyOf": [ + { + "value": "[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\":\"true\"')]", + "greater": 0 + }, + { + "value": "[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\":true')]", + "greater": 0 + }, + { + "value": "[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\":\"true\"')]", + "greater": 0 + }, + { + "value": "[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\":true')]", + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_appgw_without_tls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_appgw_without_tls.json new file mode 100644 index 000000000..ac9934892 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_appgw_without_tls.json @@ -0,0 +1,78 @@ +{ + "name": "Deny-AppGw-Without-Tls", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2", + "description": "This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "predefinedPolicyName": { + "type": "array", + "metadata": { + "displayName": "Predefined policy name", + "description": "Predefined policy name" + }, + "defaultValue": [ + "AppGwSslPolicy20220101", + "AppGwSslPolicy20170401S", + "AppGwSslPolicy20220101S" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyType", + "notEquals": "Predefined" + }, + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyType", + "exists": "false" + }, + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyName", + "notIn": "[parameters('predefinedPolicyName')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_appservice_without_byoc.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_appservice_without_byoc.json new file mode 100644 index 000000000..13962cc09 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_appservice_without_byoc.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-AppService-without-BYOC", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "App Service certificates must be stored in Key Vault", + "description": "App Service (including Logic apps and Function apps) must use certificates stored in Key Vault", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/certificates" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/certificates/keyVaultId", + "exists": "false" + }, + { + "field": "Microsoft.Web/certificates/keyVaultSecretName", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_azfw_without_policy.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_azfw_without_policy.json new file mode 100644 index 000000000..c762992c0 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_azfw_without_policy.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-AzFw-Without-Policy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Azure Firewall should have a default Firewall Policy", + "description": "This policy denies the creation of Azure Firewall without a default Firewall Policy.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + { + "field": "Microsoft.Network/azureFirewalls/firewallPolicy.id", + "exists": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_cognitiveservices_networkacls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_cognitiveservices_networkacls.json new file mode 100644 index 000000000..e3de09eb3 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_cognitiveservices_networkacls.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-CognitiveServices-NetworkAcls", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Network ACLs should be restricted for Cognitive Services", + "description": "Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]" + }, + "greater": 0 + }, + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]" + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_cognitiveservices_resource_kinds.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_cognitiveservices_resource_kinds.json new file mode 100644 index 000000000..e4c416f5d --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_cognitiveservices_resource_kinds.json @@ -0,0 +1,95 @@ +{ + "name": "Deny-CognitiveServices-Resource-Kinds", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Only explicit kinds for Cognitive Services should be allowed", + "description": "Azure Cognitive Services should only create explicit allowed kinds.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedKinds": { + "type": "array", + "metadata": { + "displayName": "Effect", + "description": "Select the allowed resource kinds to be used with Cognitive Services" + }, + "allowedValues": [ + "AnomalyDetector", + "ComputerVision", + "CognitiveServices", + "ContentModerator", + "CustomVision.Training", + "CustomVision.Prediction", + "Face", + "FormRecognizer", + "ImmersiveReader", + "LUIS", + "Personalizer", + "SpeechServices", + "TextAnalytics", + "TextTranslation", + "OpenAI" + ], + "defaultValue": [ + "AnomalyDetector", + "ComputerVision", + "CognitiveServices", + "ContentModerator", + "CustomVision.Training", + "CustomVision.Prediction", + "Face", + "FormRecognizer", + "ImmersiveReader", + "LUIS", + "Personalizer", + "SpeechServices", + "TextAnalytics", + "TextTranslation", + "OpenAI" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "field": "kind", + "notIn": "[parameters('allowedKinds')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_cognitiveservices_restrictoutboundnetworkaccess.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_cognitiveservices_restrictoutboundnetworkaccess.json new file mode 100644 index 000000000..07c5885f2 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_cognitiveservices_restrictoutboundnetworkaccess.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-CognitiveServices-RestrictOutboundNetworkAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Outbound network access should be restricted for Cognitive Services", + "description": "Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "exists": "false" + }, + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json new file mode 100644 index 000000000..a1e8b33e7 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json @@ -0,0 +1,70 @@ +{ + "name": "Deny-EH-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Event Hub namespaces should use a valid TLS version", + "description": "Event Hub namespaces should use a valid TLS version.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minTlsVersion": { + "type": "string", + "metadata": { + "displayName": "Minimum TLS Version", + "description": "Minimum TLS version to be used by Event Hub" + }, + "defaultValue": "1.2" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", + "notEquals": "[parameters('minTlsVersion')]" + }, + { + "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_premium_cmk.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_premium_cmk.json new file mode 100644 index 000000000..2785c8031 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_premium_cmk.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-EH-Premium-CMK", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Event Hub namespaces (Premium) should use a customer-managed key for encryption", + "description": "Event Hub namespaces (Premium) should use a customer-managed key for encryption.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "field": "Microsoft.EventHub/namespaces/sku.name", + "equals": "Premium" + }, + { + "not": { + "field": "Microsoft.EventHub/namespaces/encryption.keySource", + "equals": "Microsoft.Keyvault" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_logicapp_public_network.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_logicapp_public_network.json new file mode 100644 index 000000000..08af4808c --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_logicapp_public_network.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-LogicApp-Public-Network", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Logic apps should disable public network access", + "description": "Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/sites/publicNetworkAccess", + "exists": "false" + }, + { + "field": "Microsoft.Web/sites/publicNetworkAccess", + "notEquals": "Disabled" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_logicapps_without_https.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_logicapps_without_https.json new file mode 100644 index 000000000..412add92b --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_logicapps_without_https.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-LogicApps-Without-Https", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Logic app should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/sites/httpsOnly", + "exists": "false" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mgmtports_from_internet.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mgmtports_from_internet.json index 731cbbc69..ecdff67bb 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mgmtports_from_internet.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mgmtports_from_internet.json @@ -7,9 +7,9 @@ "policyType": "Custom", "mode": "All", "displayName": "Management port access from the Internet should be blocked", - "description": "This policy denies any network security rule that allows management port access from the Internet", + "description": "This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.", "metadata": { - "version": "2.1.0", + "version": "2.1.1", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deny-RDP-From-Internet", diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_service_endpoints.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_service_endpoints.json new file mode 100644 index 000000000..6c90c9947 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_service_endpoints.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-Service-Endpoints", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny or Audit service endpoints on subnets", + "description": "This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]", + "where": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service", + "exists": true + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_containerdeleteretentionpolicy.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_containerdeleteretentionpolicy.json new file mode 100644 index 000000000..6325b5b49 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_containerdeleteretentionpolicy.json @@ -0,0 +1,74 @@ +{ + "name": "Deny-Storage-ContainerDeleteRetentionPolicy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts should use a container delete retention policy", + "description": "Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minContainerDeleteRetentionInDays": { + "type": "Integer", + "metadata": { + "displayName": "Minimum Container Delete Retention in Days", + "description": "Specifies the minimum number of days for the container delete retention policy" + }, + "defaultValue": 7 + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/blobServices" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled", + "exists": false + }, + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled", + "notEquals": true + }, + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days", + "less": "[parameters('minContainerDeleteRetentionInDays')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_copyscope.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_copyscope.json new file mode 100644 index 000000000..a8fb06bb8 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_copyscope.json @@ -0,0 +1,74 @@ +{ + "name": "Deny-Storage-CopyScope", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Allowed Copy scope should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedCopyScope": { + "type": "String", + "metadata": { + "displayName": "Allowed Copy Scope", + "description": "Specify the allowed copy scope." + }, + "allowedValues": [ + "AAD", + "PrivateLink" + ], + "defaultValue": "AAD" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/allowedCopyScope", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/allowedCopyScope", + "notEquals": "[parameters('allowedCopyScope')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_corsrules.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_corsrules.json new file mode 100644 index 000000000..758a36ba5 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_corsrules.json @@ -0,0 +1,102 @@ +{ + "name": "Deny-Storage-CorsRules", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts should restrict CORS rules", + "description": "Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/blobServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/tableServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/queueServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_localuser.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_localuser.json new file mode 100644 index 000000000..ef224a3a6 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_localuser.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-Storage-LocalUser", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Local users should be restricted for Storage Accounts", + "description": "Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/isLocalUserEnabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/isLocalUserEnabled", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_mintls.json index 5b10d4862..b4b36c6e4 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_mintls.json @@ -5,11 +5,13 @@ "scope": null, "properties": { "policyType": "Custom", - "mode": "Indexed", - "displayName": "Storage Account set to minimum TLS and Secure transfer should be enabled", - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "mode": "All", + "displayName": "[Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html", "metadata": { - "version": "1.0.0", + "deprecated": true, + "supersededBy": "fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9", + "version": "1.0.0-deprecated", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_networkaclsbypass.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_networkaclsbypass.json new file mode 100644 index 000000000..47b3b9608 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_networkaclsbypass.json @@ -0,0 +1,90 @@ +{ + "name": "Deny-Storage-NetworkAclsBypass", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Network ACL bypass option should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedBypassOptions": { + "type": "Array", + "metadata": { + "displayName": "Allowed Bypass Options", + "description": "Specifies which options are allowed to bypass the vnet configuration" + }, + "allowedValues": [ + "None", + "Logging", + "Metrics", + "AzureServices", + "Logging, Metrics", + "Logging, AzureServices", + "Metrics, AzureServices", + "Logging, Metrics, AzureServices", + "Logging, Metrics, AzureServices" + ], + "defaultValue": [ + "Logging", + "Metrics", + "AzureServices", + "Logging, Metrics", + "Logging, AzureServices", + "Metrics, AzureServices", + "Logging, Metrics, AzureServices", + "Logging, Metrics, AzureServices" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass", + "notIn": "[parameters('allowedBypassOptions')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_networkaclsvirtualnetworkrules.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_networkaclsvirtualnetworkrules.json new file mode 100644 index 000000000..f8ae97ebc --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_networkaclsvirtualnetworkrules.json @@ -0,0 +1,56 @@ +{ + "name": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Virtual network rules should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]" + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_resourceaccessrulesresourceid.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_resourceaccessrulesresourceid.json new file mode 100644 index 000000000..140f10232 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_resourceaccessrulesresourceid.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-Storage-ResourceAccessRulesResourceId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Resource Access Rules resource IDs should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]" + }, + "greater": 0 + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]", + "where": { + "value": "[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]", + "equals": "*" + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_resourceaccessrulestenantid.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_resourceaccessrulestenantid.json new file mode 100644 index 000000000..6cce477cd --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_resourceaccessrulestenantid.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-Storage-ResourceAccessRulesTenantId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Resource Access Rules Tenants should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]" + }, + "greater": 0 + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId", + "notEquals": "[subscription().tenantId]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_servicesencryption.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_servicesencryption.json new file mode 100644 index 000000000..54d016827 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_storage_servicesencryption.json @@ -0,0 +1,102 @@ +{ + "name": "Deny-Storage-ServicesEncryption", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Encryption for storage services should be enforced for Storage Accounts", + "description": "Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled", + "notEquals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled", + "notEquals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType", + "notEquals": "Account" + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType", + "notEquals": "Account" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_aa.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_aa.json index fee8ee212..c1e6c49bd 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_aa.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_aa.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_aci.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_aci.json index 2ab193db6..0a88a7df4 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_aci.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_aci.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_acr.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_acr.json index fac00d211..7860050e2 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_acr.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_acr.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_analysisservice.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_analysisservice.json index 0b6991826..9774e025d 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_analysisservice.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_analysisservice.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apiforfhir.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apiforfhir.json index 3c43b2d87..0dd4e3223 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apiforfhir.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apiforfhir.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json index 9ffe64057..fda4db6d1 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", - "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_applicationgateway.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_applicationgateway.json index 4362a337f..03f5b218c 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_applicationgateway.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_applicationgateway.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json index 631957ec9..727dd199e 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json index 8958c29e1..48afcbdea 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cdnendpoints.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cdnendpoints.json index 618a4d6b0..eaebf19cd 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cdnendpoints.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cdnendpoints.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", - "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cognitiveservices.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cognitiveservices.json index fbf8a0e5b..17951837e 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cognitiveservices.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cognitiveservices.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cosmosdb.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cosmosdb.json index 0c5e86c70..8832fe3c0 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cosmosdb.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cosmosdb.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_databricks.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_databricks.json index b93b48b69..a2b53063a 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_databricks.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_databricks.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.3.0", + "deprecated": true, + "version": "1.3.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_dataexplorercluster.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_dataexplorercluster.json index 8faad53c9..896422bd0 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_dataexplorercluster.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_dataexplorercluster.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_datafactory.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_datafactory.json index fe5aa77ef..019beab83 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_datafactory.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_datafactory.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_dlanalytics.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_dlanalytics.json index 43e223d8e..54232fd32 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_dlanalytics.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_dlanalytics.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsub.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsub.json index c77b4eb3d..b4b5adb0c 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsub.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsub.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsystemtopic.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsystemtopic.json index 51ed84ae9..bd4501c9b 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsystemtopic.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsystemtopic.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridtopic.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridtopic.json index 5990ef97e..cf1ff1ce2 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridtopic.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridtopic.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_expressroute.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_expressroute.json index 25aa36286..88257d03f 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_expressroute.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_expressroute.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", - "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_firewall.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_firewall.json index 01d780d7d..3546fe19e 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_firewall.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_firewall.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_frontdoor.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_frontdoor.json index d7fa9f3c2..7bd6c5416 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_frontdoor.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_frontdoor.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_function.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_function.json index bcde0b94b..0ad8e5e58 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_function.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_function.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_hdinsight.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_hdinsight.json index b2a779ec5..f23df3993 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_hdinsight.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_hdinsight.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", - "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_iothub.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_iothub.json index 2ab78fb4b..82aec5d9d 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_iothub.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_iothub.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", - "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_loadbalancer.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_loadbalancer.json index 69898554f..b4a00e7e3 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_loadbalancer.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_loadbalancer.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_loganalytics.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_loganalytics.json index bf6d6c29f..2eaf1d164 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_loganalytics.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_loganalytics.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_logicappsise.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_logicappsise.json index 1d5628291..19b436fb6 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_logicappsise.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_logicappsise.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mariadb.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mariadb.json index 773ef7fc7..fb0f323ae 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mariadb.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mariadb.json @@ -6,12 +6,13 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", - "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb", "metadata": { - "version": "1.1.0", + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mediaservice.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mediaservice.json index c98506e3b..c0e9d24fd 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mediaservice.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mediaservice.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mlworkspace.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mlworkspace.json index 6df9c2472..1dcb9ebd9 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mlworkspace.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mlworkspace.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mysql.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mysql.json index 1048f2fa3..4fbe778f3 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mysql.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_mysql.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_networksecuritygroups.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_networksecuritygroups.json index e78433615..fb73376ef 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_networksecuritygroups.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_networksecuritygroups.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_nic.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_nic.json index daca6b487..747da3d7d 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_nic.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_nic.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_postgresql.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_postgresql.json index 82b1ba70c..e78cb594d 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_postgresql.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_postgresql.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "2.0.0", + "deprecated": true, + "version": "2.0.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_powerbiembedded.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_powerbiembedded.json index e3988dbff..f06edec62 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_powerbiembedded.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_powerbiembedded.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_rediscache.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_rediscache.json index 44f70db10..8b73c2d2c 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_rediscache.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_rediscache.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_relay.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_relay.json index f8595c851..2f9c9047b 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_relay.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_relay.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_signalr.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_signalr.json index e9a395c1f..ed26505af 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_signalr.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_signalr.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", - "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlelasticpools.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlelasticpools.json index 2cf6fe69f..6d632c1d8 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlelasticpools.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlelasticpools.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlmi.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlmi.json index d838026c2..825ba0362 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlmi.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlmi.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", - "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_timeseriesinsights.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_timeseriesinsights.json index ca3dfcc2d..76c53faea 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_timeseriesinsights.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_timeseriesinsights.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_trafficmanager.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_trafficmanager.json index 2bd6593bf..575f26bf8 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_trafficmanager.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_trafficmanager.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_virtualnetwork.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_virtualnetwork.json index 9dbde3a3e..1add05f3d 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_virtualnetwork.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_virtualnetwork.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vm.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vm.json index fe19ea182..98b10facc 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vm.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vm.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vmss.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vmss.json index 3adea471a..dac3394e2 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vmss.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vmss.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vnetgw.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vnetgw.json index ac9bd97fa..98cbd291f 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vnetgw.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vnetgw.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", - "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.1", + "deprecated": true, + "version": "1.1.1-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vwans2svpngw.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vwans2svpngw.json index 6d51b7520..46db0f5f6 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vwans2svpngw.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_vwans2svpngw.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace", - "description": "Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.0.0", + "deprecated": true, + "version": "1.0.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_webserverfarm.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_webserverfarm.json index ba52b224c..e4fdf8e2f 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_webserverfarm.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_webserverfarm.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", - "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_website.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_website.json index af682e66a..c31f9e38d 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_website.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_website.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdappgroup.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdappgroup.json index 5db3014d0..29958cbcc 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdappgroup.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdappgroup.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.1", + "deprecated": true, + "version": "1.1.1-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdhostpools.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdhostpools.json index 213d020c4..9f8d0e8a8 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdhostpools.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdhostpools.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.3.0", + "deprecated": true, + "version": "1.3.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdworkspace.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdworkspace.json index 215102a42..072193393 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdworkspace.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdworkspace.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.1", + "deprecated": true, + "version": "1.1.1-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_logicapp_tls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_logicapp_tls.json new file mode 100644 index 000000000..9c202975f --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_logicapp_tls.json @@ -0,0 +1,95 @@ +{ + "name": "Deploy-LogicApp-TLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Configure Logic apps to use the latest TLS version", + "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Web/sites/config", + "name": "web", + "existenceCondition": { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "equals": "1.2" + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772" + ], + "deployment": { + "properties": { + "mode": "incremental", + "parameters": { + "siteName": { + "value": "[field('name')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "siteName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2021-02-01", + "name": "[concat(parameters('siteName'), '/web')]", + "properties": { + "minTlsVersion": "1.2" + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_arc_sql_dcr_association.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_arc_sql_dcr_association.json new file mode 100644 index 000000000..4b39f8dc4 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_arc_sql_dcr_association.json @@ -0,0 +1,202 @@ +{ + "name": "Deploy-MDFC-Arc-SQL-DCR-Association", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "2227e1f1-23dd-4c3a-85a9-7024a401d8b2", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "dcrName": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Name", + "description": "Name of the Data Collection Rule." + } + }, + "dcrResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource Group", + "description": "Resource Group of the Data Collection Rule." + } + }, + "dcrId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Id", + "description": "Id of the Data Collection Rule." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.HybridCompute/machines" + }, + { + "field": "Microsoft.HybridCompute/machines/osName", + "equals": "Windows" + }, + { + "field": "Microsoft.HybridCompute/machines/mssqlDiscovered", + "equals": "true" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/dataCollectionRuleAssociations", + "name": "MicrosoftDefenderForSQL-RulesAssociation", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroup": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "workspaceRegion": { + "type": "string" + }, + "dcrName": { + "type": "string" + }, + "dcrResourceGroup": { + "type": "string" + }, + "dcrId": { + "type": "string" + } + }, + "variables": { + "locationLongNameToShortMap": { + "australiacentral": "CAU", + "australiaeast": "EAU", + "australiasoutheast": "SEAU", + "brazilsouth": "CQ", + "canadacentral": "CCA", + "canadaeast": "CCA", + "centralindia": "CIN", + "centralus": "CUS", + "eastasia": "EA", + "eastus2euap": "eus2p", + "eastus": "EUS", + "eastus2": "EUS2", + "francecentral": "PAR", + "germanywestcentral": "DEWC", + "japaneast": "EJP", + "jioindiawest": "CIN", + "koreacentral": "SE", + "koreasouth": "SE", + "northcentralus": "NCUS", + "northeurope": "NEU", + "norwayeast": "NOE", + "southafricanorth": "JNB", + "southcentralus": "SCUS", + "southeastasia": "SEA", + "southindia": "CIN", + "swedencentral": "SEC", + "switzerlandnorth": "CHN", + "switzerlandwest": "CHW", + "uaenorth": "DXB", + "uksouth": "SUK", + "ukwest": "WUK", + "westcentralus": "WCUS", + "westeurope": "WEU", + "westindia": "CIN", + "westus": "WUS", + "westus2": "WUS2" + }, + "locationCode": "[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]", + "subscriptionId": "[subscription().subscriptionId]", + "defaultRGName": "[parameters('resourceGroup')]", + "dcrName": "[parameters('dcrName')]", + "dcrId": "[parameters('dcrId')]", + "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]" + }, + "resources": [ + { + "type": "Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations", + "name": "[variables('dcraName')]", + "apiVersion": "2021-04-01", + "properties": { + "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.", + "dataCollectionRuleId": "[variables('dcrId')]" + } + } + ] + }, + "parameters": { + "resourceGroup": { + "value": "[parameters('dcrResourceGroup')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "workspaceRegion": { + "value": "[parameters('workspaceRegion')]" + }, + "dcrName": { + "value": "[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[parameters('dcrId')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_arc_sql_defendersql_dcr.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_arc_sql_defendersql_dcr.json new file mode 100644 index 000000000..4bf554007 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_arc_sql_defendersql_dcr.json @@ -0,0 +1,406 @@ +{ + "name": "Deploy-MDFC-Arc-Sql-DefenderSQL-DCR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "63d03cbd-47fd-4ee1-8a1c-9ddf07303de0", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "userWorkspaceResourceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Resource Id", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "omsWorkspace" + } + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "Boolean", + "metadata": { + "displayName": "Enable collection of SQL queries for security research", + "description": "Enable or disable the collection of SQL queries for security research." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "dcrName": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Name", + "description": "Name of the Data Collection Rule." + } + }, + "dcrResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource Group", + "description": "Resource Group of the Data Collection Rule." + } + }, + "dcrId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Id", + "description": "Id of the Data Collection Rule." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.HybridCompute/machines" + }, + { + "field": "Microsoft.HybridCompute/machines/osName", + "equals": "Windows" + }, + { + "field": "Microsoft.HybridCompute/machines/mssqlDiscovered", + "equals": "true" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/dataCollectionRules", + "deploymentScope": "subscription", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "field": "location", + "equals": "[parameters('workspaceRegion')]" + }, + { + "field": "name", + "equals": "[parameters('dcrName')]" + } + ] + }, + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroup": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "userWorkspaceResourceId": { + "type": "string" + }, + "workspaceRegion": { + "type": "string" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "bool" + }, + "dcrName": { + "type": "string" + }, + "dcrResourceGroup": { + "type": "string" + }, + "dcrId": { + "type": "string" + } + }, + "variables": { + "locationLongNameToShortMap": { + "australiacentral": "CAU", + "australiaeast": "EAU", + "australiasoutheast": "SEAU", + "brazilsouth": "CQ", + "canadacentral": "CCA", + "canadaeast": "CCA", + "centralindia": "CIN", + "centralus": "CUS", + "eastasia": "EA", + "eastus2euap": "eus2p", + "eastus": "EUS", + "eastus2": "EUS2", + "francecentral": "PAR", + "germanywestcentral": "DEWC", + "japaneast": "EJP", + "jioindiawest": "CIN", + "koreacentral": "SE", + "koreasouth": "SE", + "northcentralus": "NCUS", + "northeurope": "NEU", + "norwayeast": "NOE", + "southafricanorth": "JNB", + "southcentralus": "SCUS", + "southeastasia": "SEA", + "southindia": "CIN", + "swedencentral": "SEC", + "switzerlandnorth": "CHN", + "switzerlandwest": "CHW", + "uaenorth": "DXB", + "uksouth": "SUK", + "ukwest": "WUK", + "westcentralus": "WCUS", + "westeurope": "WEU", + "westindia": "CIN", + "westus": "WUS", + "westus2": "WUS2" + }, + "locationCode": "[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]", + "subscriptionId": "[subscription().subscriptionId]", + "defaultRGName": "[parameters('resourceGroup')]", + "defaultRGLocation": "[parameters('workspaceRegion')]", + "dcrName": "[parameters('dcrName')]", + "dcrId": "[parameters('dcrId')]", + "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]", + "deployDataCollectionRules": "[concat('deployDataCollectionRules-', uniqueString(deployment().name))]", + "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[empty(parameters('dcrResourceGroup'))]", + "type": "Microsoft.Resources/resourceGroups", + "name": "[variables('defaultRGName')]", + "apiVersion": "2022-09-01", + "location": "[variables('defaultRGLocation')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + } + }, + { + "condition": "[empty(parameters('dcrId'))]", + "type": "Microsoft.Resources/deployments", + "name": "[variables('deployDataCollectionRules')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[variables('defaultRGName')]", + "dependsOn": [ + "[variables('defaultRGName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "defaultRGLocation": { + "value": "[variables('defaultRGLocation')]" + }, + "workspaceResourceId": { + "value": "[parameters('userWorkspaceResourceId')]" + }, + "dcrName": { + "value": "[variables('dcrName')]" + }, + "dcrId": { + "value": "[variables('dcrId')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "defaultRGLocation": { + "type": "string" + }, + "workspaceResourceId": { + "type": "string" + }, + "dcrName": { + "type": "string" + }, + "dcrId": { + "type": "string" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "bool" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionRules", + "name": "[parameters('dcrName')]", + "apiVersion": "2021-04-01", + "location": "[parameters('defaultRGLocation')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + }, + "properties": { + "description": "Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.", + "dataSources": { + "extensions": [ + { + "extensionName": "MicrosoftDefenderForSQL", + "name": "MicrosoftDefenderForSQL", + "streams": [ + "Microsoft-DefenderForSqlAlerts", + "Microsoft-DefenderForSqlLogins", + "Microsoft-DefenderForSqlTelemetry", + "Microsoft-DefenderForSqlScanEvents", + "Microsoft-DefenderForSqlScanResults" + ], + "extensionSettings": { + "enableCollectionOfSqlQueriesForSecurityResearch": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + } + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "LogAnalyticsDest" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-DefenderForSqlAlerts", + "Microsoft-DefenderForSqlLogins", + "Microsoft-DefenderForSqlTelemetry", + "Microsoft-DefenderForSqlScanEvents", + "Microsoft-DefenderForSqlScanResults" + ], + "destinations": [ + "LogAnalyticsDest" + ] + } + ] + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "name": "[variables('deployDataCollectionRulesAssociation')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[parameters('resourceGroup')]", + "dependsOn": [ + "[variables('deployDataCollectionRules')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "dcrId": { + "value": "[variables('dcrId')]" + }, + "dcraName": { + "value": "[variables('dcraName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dcrId": { + "type": "string" + }, + "dcraName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations", + "name": "[parameters('dcraName')]", + "apiVersion": "2021-04-01", + "properties": { + "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.", + "dataCollectionRuleId": "[parameters('dcrId')]" + } + } + ] + } + } + } + ] + }, + "parameters": { + "resourceGroup": { + "value": "[parameters('dcrResourceGroup')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "userWorkspaceResourceId": { + "value": "[parameters('userWorkspaceResourceId')]" + }, + "workspaceRegion": { + "value": "[parameters('workspaceRegion')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + }, + "dcrName": { + "value": "[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[parameters('dcrId')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_sql_ama.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_sql_ama.json new file mode 100644 index 000000000..2b456fab0 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_sql_ama.json @@ -0,0 +1,177 @@ +{ + "name": "Deploy-MDFC-SQL-AMA", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "f91991d1-5383-4c95-8ee5-5ac423dd8bb1", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Identity Resource Group", + "description": "The name of the resource group created by the policy." + }, + "defaultValue": "" + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User Assigned Managed Identity Name", + "description": "The name of the user assigned managed identity." + }, + "defaultValue": "" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Windows*" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftsqlserver" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "evaluationDelay": "AfterProvisioning", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "name": "[concat(field('fullName'), '/AzureMonitorWindowsAgent')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AzureMonitorWindowsAgent" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "in": [ + "Succeeded", + "Provisioning succeeded" + ] + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + }, + "userAssignedIdentityName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorWindowsAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionType": "AzureMonitorWindowsAgent", + "extensionTypeHandlerVersion": "1.2" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[parameters('location')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + }, + "apiVersion": "2023-03-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName')))]" + }, + "userAssignedIdentityName": { + "value": "[parameters('userAssignedIdentityName')]" + }, + "identityResourceGroup": { + "value": "[parameters('identityResourceGroup')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_sql_defendersql.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_sql_defendersql.json new file mode 100644 index 000000000..b56e54526 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_sql_defendersql.json @@ -0,0 +1,242 @@ +{ + "name": "Deploy-MDFC-SQL-DefenderSQL", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "dcrName": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Name", + "description": "Name of the Data Collection Rule." + } + }, + "dcrResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource Group", + "description": "Resource Group of the Data Collection Rule." + } + }, + "dcrId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Id", + "description": "Id of the Data Collection Rule." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Windows*" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftsqlserver" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(field('fullName'), '/MicrosoftDefenderForSQL')]", + "evaluationDelay": "AfterProvisioning", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AdvancedThreatProtection.Windows" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.AzureDefenderForSQL" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "in": [ + "Succeeded", + "Provisioning succeeded" + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "workspaceRegion": { + "type": "string" + }, + "dcrResourceGroup": { + "type": "string" + }, + "dcrName": { + "type": "string" + }, + "dcrId": { + "type": "string" + } + }, + "variables": { + "locationLongNameToShortMap": { + "australiacentral": "CAU", + "australiaeast": "EAU", + "australiasoutheast": "SEAU", + "brazilsouth": "CQ", + "canadacentral": "CCA", + "canadaeast": "CCA", + "centralindia": "CIN", + "centralus": "CUS", + "eastasia": "EA", + "eastus2euap": "eus2p", + "eastus": "EUS", + "eastus2": "EUS2", + "francecentral": "PAR", + "germanywestcentral": "DEWC", + "japaneast": "EJP", + "jioindiawest": "CIN", + "koreacentral": "SE", + "koreasouth": "SE", + "northcentralus": "NCUS", + "northeurope": "NEU", + "norwayeast": "NOE", + "southafricanorth": "JNB", + "southcentralus": "SCUS", + "southeastasia": "SEA", + "southindia": "CIN", + "swedencentral": "SEC", + "switzerlandnorth": "CHN", + "switzerlandwest": "CHW", + "uaenorth": "DXB", + "uksouth": "SUK", + "ukwest": "WUK", + "westcentralus": "WCUS", + "westeurope": "WEU", + "westindia": "CIN", + "westus": "WUS", + "westus2": "WUS2" + }, + "actualLocation": "[if(empty(parameters('workspaceRegion')), parameters('location'), parameters('workspaceRegion'))]", + "locationCode": "[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]", + "subscriptionId": "[subscription().subscriptionId]", + "defaultRGName": "[parameters('dcrResourceGroup')]", + "dcrName": "[parameters('dcrName')]", + "dcrId": "[parameters('dcrId')]", + "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]", + "apiVersion": "2023-03-01", + "location": "[parameters('location')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + }, + "properties": { + "publisher": "Microsoft.Azure.AzureDefenderForSQL", + "type": "AdvancedThreatProtection.Windows", + "typeHandlerVersion": "2.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + }, + "dependsOn": [ + "[extensionResourceId(concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName')), 'Microsoft.Insights/dataCollectionRuleAssociations','MicrosoftDefenderForSQL-RulesAssociation')]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations", + "name": "[variables('dcraName')]", + "apiVersion": "2021-04-01", + "properties": { + "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.", + "dataCollectionRuleId": "[variables('dcrId')]" + } + } + ] + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "workspaceRegion": { + "value": "[parameters('workspaceRegion')]" + }, + "dcrResourceGroup": { + "value": "[parameters('dcrResourceGroup')]" + }, + "dcrName": { + "value": "[parameters('dcrName')]" + }, + "dcrId": { + "value": "[parameters('dcrId')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_sql_defendersql_dcr.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_sql_defendersql_dcr.json new file mode 100644 index 000000000..6cd564908 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mdfc_sql_defendersql_dcr.json @@ -0,0 +1,465 @@ +{ + "name": "Deploy-MDFC-SQL-DefenderSQL-DCR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html", + "metadata": { + "version": "1.0.1-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "04754ef9-9ae3-4477-bf17-86ef50026304", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "userWorkspaceResourceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Resource Id", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "omsWorkspace" + } + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "Boolean", + "metadata": { + "displayName": "Enable collection of SQL queries for security research", + "description": "Enable or disable the collection of SQL queries for security research." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "dcrName": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Name", + "description": "Name of the Data Collection Rule." + } + }, + "dcrResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource Group", + "description": "Resource Group of the Data Collection Rule." + } + }, + "dcrId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Id", + "description": "Id of the Data Collection Rule." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Windows*" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftsqlserver" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/dataCollectionRules", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "field": "location", + "equals": "[parameters('workspaceRegion')]" + }, + { + "field": "name", + "equals": "[parameters('dcrName')]" + } + ] + }, + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroup": { + "type": "string" + }, + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "userWorkspaceResourceId": { + "type": "string" + }, + "workspaceRegion": { + "type": "string" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "bool" + }, + "dcrName": { + "type": "string" + }, + "dcrResourceGroup": { + "type": "string" + }, + "dcrId": { + "type": "string" + } + }, + "variables": { + "locationLongNameToShortMap": { + "australiacentral": "CAU", + "australiaeast": "EAU", + "australiasoutheast": "SEAU", + "brazilsouth": "CQ", + "canadacentral": "CCA", + "canadaeast": "CCA", + "centralindia": "CIN", + "centralus": "CUS", + "eastasia": "EA", + "eastus2euap": "eus2p", + "eastus": "EUS", + "eastus2": "EUS2", + "francecentral": "PAR", + "germanywestcentral": "DEWC", + "japaneast": "EJP", + "jioindiawest": "CIN", + "koreacentral": "SE", + "koreasouth": "SE", + "northcentralus": "NCUS", + "northeurope": "NEU", + "norwayeast": "NOE", + "southafricanorth": "JNB", + "southcentralus": "SCUS", + "southeastasia": "SEA", + "southindia": "CIN", + "swedencentral": "SEC", + "switzerlandnorth": "CHN", + "switzerlandwest": "CHW", + "uaenorth": "DXB", + "uksouth": "SUK", + "ukwest": "WUK", + "westcentralus": "WCUS", + "westeurope": "WEU", + "westindia": "CIN", + "westus": "WUS", + "westus2": "WUS2" + }, + "locationCode": "[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]", + "subscriptionId": "[subscription().subscriptionId]", + "defaultRGName": "[parameters('dcrResourceGroup')]", + "defaultRGLocation": "[parameters('workspaceRegion')]", + "dcrName": "[parameters('dcrName')]", + "dcrId": "[parameters('dcrId')]", + "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]", + "deployDataCollectionRules": "[concat('deployDataCollectionRules-', uniqueString(deployment().name))]", + "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]", + "deployDefenderForSQL": "[concat('deployDefenderForSQL-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[empty(parameters('dcrResourceGroup'))]", + "type": "Microsoft.Resources/resourceGroups", + "name": "[variables('defaultRGName')]", + "apiVersion": "2022-09-01", + "location": "[variables('defaultRGLocation')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + } + }, + { + "type": "Microsoft.Resources/deployments", + "name": "[variables('deployDefenderForSQL')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[parameters('resourceGroup')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]", + "apiVersion": "2023-03-01", + "location": "[parameters('location')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + }, + "properties": { + "publisher": "Microsoft.Azure.AzureDefenderForSQL", + "type": "AdvancedThreatProtection.Windows", + "typeHandlerVersion": "2.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + } + } + ] + } + } + }, + { + "condition": "[empty(parameters('dcrId'))]", + "type": "Microsoft.Resources/deployments", + "name": "[variables('deployDataCollectionRules')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[variables('defaultRGName')]", + "dependsOn": [ + "[variables('defaultRGName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "defaultRGLocation": { + "value": "[variables('defaultRGLocation')]" + }, + "workspaceResourceId": { + "value": "[parameters('userWorkspaceResourceId')]" + }, + "dcrName": { + "value": "[variables('dcrName')]" + }, + "dcrId": { + "value": "[variables('dcrId')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "defaultRGLocation": { + "type": "string" + }, + "workspaceResourceId": { + "type": "string" + }, + "dcrName": { + "type": "string" + }, + "dcrId": { + "type": "string" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "bool" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionRules", + "name": "[parameters('dcrName')]", + "apiVersion": "2021-04-01", + "location": "[parameters('defaultRGLocation')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + }, + "properties": { + "description": "Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.", + "dataSources": { + "extensions": [ + { + "extensionName": "MicrosoftDefenderForSQL", + "name": "MicrosoftDefenderForSQL", + "streams": [ + "Microsoft-DefenderForSqlAlerts", + "Microsoft-DefenderForSqlLogins", + "Microsoft-DefenderForSqlTelemetry", + "Microsoft-DefenderForSqlScanEvents", + "Microsoft-DefenderForSqlScanResults" + ], + "extensionSettings": { + "enableCollectionOfSqlQueriesForSecurityResearch": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + } + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "LogAnalyticsDest" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-DefenderForSqlAlerts", + "Microsoft-DefenderForSqlLogins", + "Microsoft-DefenderForSqlTelemetry", + "Microsoft-DefenderForSqlScanEvents", + "Microsoft-DefenderForSqlScanResults" + ], + "destinations": [ + "LogAnalyticsDest" + ] + } + ] + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "name": "[variables('deployDataCollectionRulesAssociation')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[parameters('resourceGroup')]", + "dependsOn": [ + "[variables('deployDataCollectionRules')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "dcrId": { + "value": "[variables('dcrId')]" + }, + "dcraName": { + "value": "[variables('dcraName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dcrId": { + "type": "string" + }, + "dcraName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations", + "name": "[parameters('dcraName')]", + "apiVersion": "2021-04-01", + "properties": { + "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.", + "dataCollectionRuleId": "[parameters('dcrId')]" + } + } + ] + } + } + } + ] + }, + "parameters": { + "resourceGroup": { + "value": "[resourceGroup().name]" + }, + "location": { + "value": "[field('location')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "userWorkspaceResourceId": { + "value": "[parameters('userWorkspaceResourceId')]" + }, + "workspaceRegion": { + "value": "[parameters('workspaceRegion')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + }, + "dcrName": { + "value": "[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[parameters('dcrId')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json new file mode 100644 index 000000000..caf64db9f --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json @@ -0,0 +1,154 @@ +{ + "name": "Deploy-Private-DNS-Generic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy-Private-DNS-Generic", + "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.", + "metadata": { + "version": "1.0.0", + "category": "Networking", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone ID for Paas services", + "description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.", + "strongType": "Microsoft.Network/privateDnsZones", + "assignPermissions": true + } + }, + "resourceType": { + "type": "String", + "metadata": { + "displayName": "PaaS private endpoint resource type", + "description": "The PaaS endpoint resource type." + } + }, + "groupId": { + "type": "String", + "metadata": { + "displayName": "PaaS Private endpoint group ID (subresource)", + "description": "The group ID of the PaaS private endpoint. Also referred to as subresource." + } + }, + "evaluationDelay": { + "type": "String", + "metadata": { + "displayName": "Evaluation Delay", + "description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists" + }, + "defaultValue": "PT10M" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", + "contains": "[parameters('resourceType')]" + }, + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "[parameters('groupId')]" + } + ] + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "evaluationDelay": "[parameters('evaluationDelay')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "PaaS-Service-Private-DNS-Zone-Config", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_userassignedmanagedidentity_vminsights.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_userassignedmanagedidentity_vminsights.json new file mode 100644 index 000000000..c88be40b7 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_userassignedmanagedidentity_vminsights.json @@ -0,0 +1,405 @@ +{ + "name": "Deploy-UserAssignedManagedIdentity-VMInsights", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Deploy User Assigned Managed Identity for VM Insights", + "description": "Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Managed Identity", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Identity", + "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ] + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group Name", + "description": "The resource group in which the pre-created user-assigned managed identity resides." + }, + "defaultValue": "" + }, + "builtInIdentityResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Built-In-Identity-RG Location", + "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false." + }, + "defaultValue": "eastus" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Policy Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "value": "[requestContext().apiVersion]", + "greaterOrEquals": "2018-10-01" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines", + "name": "[field('name')]", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "identity.type", + "contains": "UserAssigned" + }, + { + "field": "identity.userAssignedIdentities", + "containsKey": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]" + } + ] + }, + { + "allOf": [ + { + "field": "identity.type", + "equals": "UserAssigned" + }, + { + "value": "[string(length(field('identity.userAssignedIdentities')))]", + "equals": "1" + } + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "location": { + "value": "[field('location')]" + }, + "uaName": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]" + }, + "identityResourceGroup": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]" + }, + "builtInIdentityResourceGroupLocation": { + "value": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "vmResourceGroup": { + "value": "[resourceGroup().name]" + }, + "resourceId": { + "value": "[field('id')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "uaName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + }, + "builtInIdentityResourceGroupLocation": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmResourceGroup": { + "type": "string" + }, + "resourceId": { + "type": "string" + } + }, + "variables": { + "uaNameWithLocation": "[concat(parameters('uaName'),'-', parameters('location'))]", + "precreatedUaId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]", + "autocreatedUaId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]", + "deployUALockName": "[concat('deployUALock-', uniqueString(deployment().name))]", + "deployUAName": "[concat('deployUA-', uniqueString(deployment().name))]", + "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", + "deployAssignUAName": "[concat('deployAssignUA-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('identityResourceGroup')]", + "location": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + { + "condition": "[parameters('bringYourOwnUserAssignedManagedIdentity')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUALockName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[parameters('uaName')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + } + ] + } + } + }, + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUAName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[variables('uaNameWithLocation')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]", + "dependsOn": [ + "[parameters('uaName')]" + ], + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployGetResourceProperties')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "resource": { + "type": "object", + "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deployAssignUAName'))]", + "resourceGroup": "[parameters('vmResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]", + "[variables('deployGetResourceProperties')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaId": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "identityType": { + "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" + }, + "userAssignedIdentities": { + "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaId": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "identityType": { + "type": "string" + }, + "userAssignedIdentities": { + "type": "object" + } + }, + "variables": { + "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", + "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]", + "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" + }, + "resources": [ + { + "condition": "[not(variables('resourceWithSingleUAI'))]", + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachines", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "identity": { + "type": "[variables('identityTypeValue')]", + "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" + } + } + ] + } + } + } + ] + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_modify_nsg.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_modify_nsg.json new file mode 100644 index 000000000..7591cf640 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_modify_nsg.json @@ -0,0 +1,129 @@ +{ + "name": "Modify-NSG", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Enforce specific configuration of Network Security Groups (NSG)", + "description": "This policy enforces the configuration of Network Security Groups (NSG).", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Modify", + "Disabled" + ], + "defaultValue": "Modify", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "nsgRuleName": { + "type": "string", + "defaultValue": "DenyAnyInternetOutbound" + }, + "nsgRulePriority": { + "type": "integer", + "defaultValue": 1000 + }, + "nsgRuleDirection": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "defaultValue": "Outbound" + }, + "nsgRuleAccess": { + "type": "string", + "allowedValues": [ + "Allow", + "Deny" + ], + "defaultValue": "Deny" + }, + "nsgRuleProtocol": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleSourceAddressPrefix": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleSourcePortRange": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleDestinationAddressPrefix": { + "type": "string", + "defaultValue": "Internet" + }, + "nsgRuleDestinationPortRange": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleDescription": { + "type": "string", + "defaultValue": "Deny any outbound traffic to the Internet" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]" + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "conflictEffect": "audit", + "operations": [ + { + "operation": "add", + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", + "value": { + "name": "[parameters('nsgRuleName')]", + "properties": { + "description": "[parameters('nsgRuleDescription')]", + "protocol": "[parameters('nsgRuleProtocol')]", + "sourcePortRange": "[parameters('nsgRuleSourcePortRange')]", + "destinationPortRange": "[parameters('nsgRuleDestinationPortRange')]", + "sourceAddressPrefix": "[parameters('nsgRuleSourceAddressPrefix')]", + "destinationAddressPrefix": "[parameters('nsgRuleDestinationAddressPrefix')]", + "access": "[parameters('nsgRuleAccess')]", + "priority": "[parameters('nsgRulePriority')]", + "direction": "[parameters('nsgRuleDirection')]" + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_modify_udr.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_modify_udr.json new file mode 100644 index 000000000..aeba9b862 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_modify_udr.json @@ -0,0 +1,103 @@ +{ + "name": "Modify-UDR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Enforce specific configuration of User-Defined Routes (UDR)", + "description": "This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Modify", + "Disabled" + ], + "defaultValue": "Modify", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.", + "displayName": "Address Prefix" + } + }, + "nextHopType": { + "type": "string", + "metadata": { + "description": "The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.", + "displayName": "Next Hop Type" + }, + "allowedValues": [ + "VnetLocal", + "VirtualNetworkGateway", + "Internet", + "VirtualAppliance", + "None" + ] + }, + "nextHopIpAddress": { + "type": "string", + "metadata": { + "description": "The IP address packets should be forwarded to.", + "displayName": "Next Hop IP Address" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/routeTables" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]" + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "conflictEffect": "audit", + "operations": [ + { + "operation": "add", + "field": "Microsoft.Network/routeTables/routes[*]", + "value": { + "name": "default", + "properties": { + "addressPrefix": "[parameters('addressPrefix')]", + "nextHopType": "[parameters('nextHopType')]", + "nextHopIpAddress": "[parameters('nextHopIpAddress')]" + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json new file mode 100644 index 000000000..feb83fa83 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json @@ -0,0 +1,58 @@ +{ + "name": "Audit-TrustedLaunch", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Audit virtual machines for Trusted Launch support", + "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", + "metadata": { + "version": "1.0.0", + "category": "Trusted Launch", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AuditDisksOsTrustedLaunch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditTrustedLaunchEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json index 218046205..d5eaae68f 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Public network access should be disabled for PaaS services", "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", "metadata": { - "version": "3.1.0", + "version": "5.0.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -20,7 +20,7 @@ "type": "String", "metadata": { "displayName": "Public network access should be disabled for CosmosDB", - "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." }, "allowedValues": [ "Audit", @@ -85,7 +85,7 @@ "type": "String", "metadata": { "displayName": "Public network access on Azure Container Registry disabled", - "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " + "description": "This policy denies the creation of Azure Container Registries with exposed public endpoints " }, "allowedValues": [ "Audit", @@ -111,7 +111,20 @@ "type": "String", "metadata": { "displayName": "Public network access should be disabled for PostgreSql Flexible Server", - "description": "This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints" + "description": "This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "postgreSqlPublicNetworkAccess": { + "type": "string", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSQL servers", + "description": "This policy denies creation of PostgreSQL DB accounts with exposed public endpoints" }, "allowedValues": [ "Audit", @@ -189,7 +202,7 @@ "type": "String", "metadata": { "displayName": "Public network access should be disabled for Bot Service", - "description": "This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode" + "description": "This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode" }, "allowedValues": [ "Audit", @@ -202,7 +215,7 @@ "type": "String", "metadata": { "displayName": "Public network access should be disabled for Automation accounts", - "description": "This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode" + "description": "This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode" }, "allowedValues": [ "Audit", @@ -237,6 +250,19 @@ ], "defaultValue": "Deny" }, + "FunctionAppSlotPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Function apps", + "description": "This policy denies creation of Function apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, "AsePublicIpDenyEffect": { "type": "String", "metadata": { @@ -274,6 +300,220 @@ "Disabled" ], "defaultValue": "AuditIfNotExists" + }, + "ContainerAppsEnvironmentDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Container Apps environment should disable public network access", + "description": "This policy denies creation of Container Apps Environment with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsrVaultDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Azure Recovery Services vaults should disable public network access", + "description": "This policy denies creation of Azure Recovery Services vaults with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "logicAppPublicNetworkAccessEffect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "appSlotsPublicNetworkAccess": { + "type": "string", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "cognitiveSearchPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "managedDiskPublicNetworkAccess": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "containerAppsPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridTopicPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultManagedHsmDisablePublicNetwork": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mySqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsPublicAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapsePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "avdHostPoolPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "avdWorkspacePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "graphanaPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] } }, "policyDefinitions": [ @@ -357,6 +597,16 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "Deny-PostgreSql-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "parameters": { + "effect": { + "value": "[parameters('postgreSqlPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", @@ -447,6 +697,16 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "FunctionAppSlotsDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2", + "parameters": { + "effect": { + "value": "[parameters('FunctionAppSlotPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "AseDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", @@ -476,6 +736,236 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsEnvironmentDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a", + "parameters": { + "effect": { + "value": "[parameters('ContainerAppsEnvironmentDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerApps-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1", + "parameters": { + "effect": { + "value": "[parameters('containerAppsPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AsrVaultDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090", + "parameters": { + "effect": { + "value": "[parameters('AsrVaultDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-LogicApp-Public-Network-Access", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network", + "parameters": { + "effect": { + "value": "[parameters('logicAppPublicNetworkAccessEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppSlots-Public", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622", + "parameters": { + "effect": { + "value": "[parameters('appSlotsPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-CognitiveSearch-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3", + "parameters": { + "effect": { + "value": "[parameters('cognitiveSearchPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ManagedDisk-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094", + "parameters": { + "effect": { + "value": "[parameters('managedDiskPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ADX-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673", + "parameters": { + "effect": { + "value": "[parameters('adxPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6", + "parameters": { + "effect": { + "value": "[parameters('adfPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EventGrid-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68", + "parameters": { + "effect": { + "value": "[parameters('eventGridPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45", + "parameters": { + "effect": { + "value": "[parameters('eventGridTopicPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e", + "parameters": { + "effect": { + "value": "[parameters('eventHubNamespacesPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Hms-PublicNetwork", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f", + "parameters": { + "effect": { + "value": "[parameters('keyVaultManagedHsmDisablePublicNetwork')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-MySql-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", + "parameters": { + "effect": { + "value": "[parameters('mySqlPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sb-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13", + "parameters": { + "effect": { + "value": "[parameters('serviceBusDisablePublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Public-Endpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", + "parameters": { + "effect": { + "value": "[parameters('sqlManagedPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Public-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsPublicAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d", + "parameters": { + "effect": { + "value": "[parameters('synapsePublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Workspace-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd", + "parameters": { + "effect": { + "value": "[parameters('avdWorkspacePublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Hostpool-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334", + "parameters": { + "effect": { + "value": "[parameters('avdHostPoolPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Graphana-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628", + "parameters": { + "effect": { + "value": "[parameters('graphanaPublicNetworkAccess')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json new file mode 100644 index 000000000..09c36e540 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json @@ -0,0 +1,153 @@ +{ + "name": "Deploy-AUM-CheckUpdates", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines", + "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", + "metadata": { + "version": "1.0.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "assessmentMode": { + "type": "String", + "metadata": { + "displayName": "Assessment mode", + "description": "Assessment mode for the machines." + }, + "allowedValues": [ + "ImageDefault", + "AutomaticByPlatform" + ], + "defaultValue": "AutomaticByPlatform" + }, + "locations": { + "type": "Array", + "metadata": { + "displayName": "Machines locations", + "description": "The list of locations from which machines need to be targeted.", + "strongType": "location" + }, + "defaultValue": [] + }, + "tagValues": { + "type": "Object", + "metadata": { + "displayName": "Tags on machines", + "description": "The list of tags that need to matched for getting target machines." + }, + "defaultValue": {} + }, + "tagOperator": { + "type": "String", + "metadata": { + "displayName": "Tag operator", + "description": "Matching condition for resource tags" + }, + "allowedValues": [ + "All", + "Any" + ], + "defaultValue": "Any" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateWindows", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15", + "parameters": { + "assessmentMode": { + "value": "[parameters('assessmentMode')]" + }, + "osType": { + "value": "Windows" + }, + "locations": { + "value": "[parameters('locations')]" + }, + "tagValues": { + "value": "[parameters('tagValues')]" + }, + "tagOperator": { + "value": "[parameters('tagOperator')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateLinux", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15", + "parameters": { + "assessmentMode": { + "value": "[parameters('assessmentMode')]" + }, + "osType": { + "value": "Linux" + }, + "locations": { + "value": "[parameters('locations')]" + }, + "tagValues": { + "value": "[parameters('tagValues')]" + }, + "tagOperator": { + "value": "[parameters('tagOperator')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateWindows", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46", + "parameters": { + "assessmentMode": { + "value": "[parameters('assessmentMode')]" + }, + "osType": { + "value": "Windows" + }, + "locations": { + "value": "[parameters('locations')]" + }, + "tagValues": { + "value": "[parameters('tagValues')]" + }, + "tagOperator": { + "value": "[parameters('tagOperator')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateLinux", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46", + "parameters": { + "assessmentMode": { + "value": "[parameters('assessmentMode')]" + }, + "osType": { + "value": "Linux" + }, + "locations": { + "value": "[parameters('locations')]" + }, + "tagValues": { + "value": "[parameters('tagValues')]" + }, + "tagOperator": { + "value": "[parameters('tagOperator')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json index 624a59d26..cdc67e166 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json @@ -5,10 +5,11 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deploy Diagnostic Settings to Azure Services", - "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "displayName": "[Deprecated]: Deploy Diagnostic Settings to Azure Services", + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "2.2.0", + "deprecated": true, + "version": "2.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.tmpl.json index 528a831b7..5290f7358 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.tmpl.json @@ -5,12 +5,14 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deploy Microsoft Defender for Cloud configuration", - "description": "Deploy Microsoft Defender for Cloud configuration", + "displayName": "[Deprecated]: Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html", "metadata": { - "version": "6.0.1", + "version": "7.0.0-deprecated", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-MDFC-Config_20240319", "alzCloudEnvironments": [ "AzureCloud" ] @@ -434,6 +436,12 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "migrateToMdeTvm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", + "parameters": {}, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json new file mode 100644 index 000000000..d256cf21d --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json @@ -0,0 +1,404 @@ +{ + "name": "Deploy-MDFC-Config_20240319", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration", + "metadata": { + "version": "1.0.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-MDFC-Config", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Microsoft Defender for Cloud contact details" + } + }, + "minimalSeverity": { + "type": "string", + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": "High", + "metadata": { + "displayName": "Minimal severity", + "description": "Defines the minimal alert severity which will be sent as email notifications" + } + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "ascExportResourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource Group name for the export to Log Analytics workspace configuration", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "ascExportResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Group location for the export to Log Analytics workspace configuration", + "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServersVulnerabilityAssessments": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "vulnerabilityAssessmentProvider": { + "type": "String", + "allowedValues": [ + "default", + "mdeTvm" + ], + "defaultValue": "mdeTvm", + "metadata": { + "displayName": "Vulnerability assessment provider type", + "description": "Select the vulnerability assessment solution to provision to machines." + } + }, + "enableAscForCspm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForOssDb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "parameters": { + "effect": { + "value": "[parameters('enableAscForOssDb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVM", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "parameters": { + "effect": { + "value": "[parameters('enableAscForServers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b", + "parameters": { + "effect": { + "value": "[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "vaType": { + "value": "[parameters('vulnerabilityAssessmentProvider')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "parameters": { + "effect": { + "value": "[parameters('enableAscForSqlOnVm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForAppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "parameters": { + "effect": { + "value": "[parameters('enableAscForAppServices')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForStorageAccountsV2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390", + "parameters": { + "effect": { + "value": "[parameters('enableAscForStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "parameters": { + "effect": { + "value": "[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "parameters": { + "effect": { + "value": "[parameters('enableAscForContainers')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azurePolicyForKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "parameters": { + "effect": { + "value": "[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForKeyVaults", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "parameters": { + "effect": { + "value": "[parameters('enableAscForKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForArm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "parameters": { + "effect": { + "value": "[parameters('enableAscForArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlPaas", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "parameters": { + "effect": { + "value": "[parameters('enableAscForSql')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCosmosDbs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "parameters": { + "effect": { + "value": "[parameters('enableAscForCosmosDbs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCspm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "parameters": { + "effect": { + "value": "[parameters('enableAscForCspm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "securityEmailContact", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "parameters": { + "emailSecurityContact": { + "value": "[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[parameters('minimalSeverity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ascExport", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "parameters": { + "resourceGroupName": { + "value": "[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "migrateToMdeTvm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", + "parameters": {}, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_defendersql_ama.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_defendersql_ama.tmpl.json new file mode 100644 index 000000000..d1037e4ce --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_defendersql_ama.tmpl.json @@ -0,0 +1,239 @@ +{ + "name": "Deploy-MDFC-DefenderSQL-AMA", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW", + "description": "Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html", + "metadata": { + "version": "1.0.1-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "de01d381-bae9-4670-8870-786f89f49e26", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "dcrName": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Name", + "description": "Name of the Data Collection Rule." + } + }, + "dcrResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource Group", + "description": "Resource Group of the Data Collection Rule." + } + }, + "dcrId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Id", + "description": "Id of the Data Collection Rule." + } + }, + "userWorkspaceResourceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Resource Id", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "omsWorkspace" + } + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "Boolean", + "metadata": { + "displayName": "Enable collection of SQL queries for security research", + "description": "Enable or disable the collection of SQL queries for security research." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Identity Resource Group", + "description": "The name of the resource group created by the policy." + }, + "defaultValue": "" + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User Assigned Managed Identity Name", + "description": "The name of the user assigned managed identity." + }, + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForSqlArcAma", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlArcMdsql", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlArcMdsqlDcr", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "userWorkspaceResourceId": { + "value": "[parameters('userWorkspaceResourceId')]" + }, + "workspaceRegion": { + "value": "[parameters('workspaceRegion')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + }, + "dcrName": { + "value": "[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[parameters('dcrId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlArcDcrAssociation", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "workspaceRegion": { + "value": "[parameters('workspaceRegion')]" + }, + "dcrName": { + "value": "[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[parameters('dcrId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlAma", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "identityResourceGroup": { + "value": "[parameters('identityResourceGroup')]" + }, + "userAssignedIdentityName": { + "value": "[parameters('userAssignedIdentityName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlMdsql", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "workspaceRegion": { + "value": "[parameters('workspaceRegion')]" + }, + "dcrResourceGroup": { + "value": "[parameters('dcrResourceGroup')]" + }, + "dcrName": { + "value": "[parameters('dcrName')]" + }, + "dcrId": { + "value": "[parameters('dcrId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlMdsqlDcr", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR", + "parameters": { + "effect": { + "value": "Disabled" + }, + "userWorkspaceResourceId": { + "value": "[parameters('userWorkspaceResourceId')]" + }, + "workspaceRegion": { + "value": "[parameters('workspaceRegion')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + }, + "dcrName": { + "value": "[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[parameters('dcrId')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json index 5723bb45a..97f15044f 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "2.1.1", + "version": "2.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -466,6 +466,15 @@ "description": "Private DNS Zone Identifier" } }, + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMachineLearningWorkspaceSecondPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "azureServiceBusNamespacePrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -484,6 +493,132 @@ "description": "Private DNS Zone Identifier" } }, + "azureBotServicePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureBotServicePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureManagedGrafanaWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureManagedGrafanaWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureVirtualDesktopHostpoolPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureVirtualDesktopHostpoolPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureVirtualDesktopWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureVirtualDesktopWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotDeviceupdatePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotDeviceupdatePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureArcGuestconfigurationPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureArcGuestconfigurationPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureArcHybridResourceProviderPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureArcHybridResourceProviderPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureArcKubernetesConfigurationPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureArcKubernetesConfigurationPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotCentralPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotCentralPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageTablePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageTableSecondaryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageTableSecondaryPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryBackupPrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryBackupPrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryBlobPrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryBlobPrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryQueuePrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryQueuePrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "effect": { "type": "string", "metadata": { @@ -672,7 +807,7 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databrics-UI-Api", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-UI-Api", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", "parameters": { "privateDnsZoneId": { @@ -688,7 +823,7 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databrics-Browser-AuthN", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-Browser-AuthN", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", "parameters": { "privateDnsZoneId": { @@ -1185,6 +1320,9 @@ "privateDnsZoneId": { "value": "[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" }, + "secondPrivateDnsZoneId": { + "value": "[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]" + }, "effect": { "value": "[parameters('effect')]" } @@ -1216,6 +1354,154 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-BotService", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8", + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('azureBotServicePrivateDnsZoneId')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ManagedGrafanaWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58", + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopHostpool", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a", + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "connection" + }, + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed", + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "feed" + }, + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTDeviceupdate", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a", + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('azureIotDeviceupdatePrivateDnsZoneId')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9", + "parameters": { + "privateDnsZoneIdForGuestConfiguration": { + "value": "[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]" + }, + "privateDnsZoneIdForHybridResourceProvider": { + "value": "[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]" + }, + "privateDnsZoneIdForKubernetesConfiguration": { + "value": "[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTCentral", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6", + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('azureIotCentralPrivateDnsZoneId')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('azureStorageTablePrivateDnsZoneId')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table-Secondary", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery-Backup", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", + "parameters": { + "privateDnsZone-Backup": { + "value": "[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]" + }, + "privateDnsZone-Blob": { + "value": "[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]" + }, + "privateDnsZone-Queue": { + "value": "[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.tmpl.json index 9e4e7b798..91b1d42b9 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.tmpl.json @@ -5,12 +5,14 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deploy SQL Database built-in SQL security configuration", - "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "displayName": "[Deprecated]: Deploy SQL Database built-in SQL security configuration", + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-Sql-Security_20240529", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json new file mode 100644 index 000000000..632d3fbc6 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json @@ -0,0 +1,135 @@ +{ + "name": "Deploy-Sql-Security_20240529", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy SQL Database built-in SQL security configuration", + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-Sql-Security", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + }, + "type": "Array" + }, + "vulnerabilityAssessmentsStorageID": { + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + }, + "type": "String" + }, + "SqlDbTdeDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment" + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration" + } + }, + "SqlDbAuditingSettingsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment" + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "parameters": { + "effect": { + "value": "[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "parameters": { + "effect": { + "value": "[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "parameters": { + "effect": { + "value": "[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706", + "parameters": { + "effect": { + "value": "[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[parameters('vulnerabilityAssessmentsStorageID')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json new file mode 100644 index 000000000..30de60651 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json @@ -0,0 +1,134 @@ +{ + "name": "Enforce-Backup", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce enhanced recovery and backup policies", + "description": "Enforce enhanced recovery and backup policies on assigned scopes.", + "metadata": { + "version": "1.0.0", + "category": "Backup", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "checkLockedImmutabilityOnly": { + "type": "Boolean", + "metadata": { + "displayName": "checkLockedImmutabilityOnly", + "description": "This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "checkAlwaysOnSoftDeleteOnly": { + "type": "Boolean", + "metadata": { + "displayName": "CheckAlwaysOnSoftDeleteOnly", + "description": "This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "BackupBVault-Immutability", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "CheckLockedImmutabiltyOnly": { + "value": "[parameters('checkLockedImmutabilityOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupRVault-Immutability", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "checkLockedImmutabilityOnly": { + "value": "[parameters('checkLockedImmutabilityOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupBVault-SoftDelete", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "checkAlwaysOnSoftDeleteOnly": { + "value": "[parameters('checkAlwaysOnSoftDeleteOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupRVault-SoftDelete", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "checkAlwaysOnSoftDeleteOnly": { + "value": "[parameters('checkAlwaysOnSoftDeleteOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupBVault-MUA", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupRVault-MUA", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json index 9de3e62a0..a51b7de08 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "2.0.0", + "version": "3.0.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -22,7 +22,7 @@ "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." }, "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -35,7 +35,7 @@ "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." }, "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -44,7 +44,7 @@ }, "WorkspaceCMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -57,7 +57,7 @@ }, "CognitiveServicesCMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -70,7 +70,7 @@ }, "CosmosCMKEffect": { "type": "String", - "defaultValue": "audit", + "defaultValue": "deny", "allowedValues": [ "audit", "deny", @@ -83,7 +83,7 @@ }, "DataBoxCMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -96,7 +96,7 @@ }, "StreamAnalyticsCMKEffect": { "type": "String", - "defaultValue": "audit", + "defaultValue": "deny", "allowedValues": [ "audit", "deny", @@ -109,7 +109,7 @@ }, "SynapseWorkspaceCMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -158,7 +158,7 @@ }, "SqlServerTDECMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -183,7 +183,7 @@ }, "AzureBatchCMKEffect": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", @@ -205,6 +205,130 @@ "displayName": "Disk encryption should be applied on virtual machines", "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." } + }, + "AutomationAccountCmkEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "BackupCmkEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveSearchCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "osAndDataDiskCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerInstanceCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesCmk": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "eventHubPremiumCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDenyCmk": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlManagedCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageTableCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsEncryptionCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageQueueCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] } }, "policyDefinitions": [ @@ -357,6 +481,146 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aa-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", + "parameters": { + "effect": { + "value": "[parameters('AutomationAccountCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Backup-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", + "parameters": { + "effect": { + "value": "[parameters('BackupCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-CognitiveSearch-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f", + "parameters": { + "effect": { + "value": "[parameters('cognitiveSearchCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", + "parameters": { + "effect": { + "value": "[parameters('osAndDataDiskCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerInstance-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", + "parameters": { + "effect": { + "value": "[parameters('containerInstanceCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ADX-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", + "parameters": { + "effect": { + "value": "[parameters('adxCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", + "parameters": { + "effect": { + "value": "[parameters('adfCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec", + "parameters": { + "effect": { + "value": "[parameters('eventHubNamespacesCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-Premium-CMK", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK", + "parameters": { + "effect": { + "value": "[parameters('eventHubPremiumCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sb-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a", + "parameters": { + "effect": { + "value": "[parameters('serviceBusDenyCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "parameters": { + "effect": { + "value": "[parameters('sqlManagedCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Table-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688", + "parameters": { + "effect": { + "value": "[parameters('storageTableCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsEncryptionCmk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Queue-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef", + "parameters": { + "effect": { + "value": "[parameters('storageQueueCmk')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.tmpl.json index 83b4970a2..8b7c33bc6 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.tmpl.json @@ -5,12 +5,14 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "displayName": "[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html", "metadata": { - "version": "2.0.0", + "version": "2.1.0-deprecated", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Enforce-EncryptTransit_20240509", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", @@ -360,6 +362,19 @@ "Deny", "Disabled" ] + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] } }, "policyDefinitions": [ @@ -611,6 +626,16 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json new file mode 100644 index 000000000..1549c997a --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json @@ -0,0 +1,937 @@ +{ + "name": "Enforce-EncryptTransit_20240509", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "metadata": { + "version": "1.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Enforce-EncryptTransit", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionAppTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Configure Function apps to use the latest TLS version.", + "description": "App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." + }, + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "LogicAppTlsEffect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "logicAppHttpsEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubMinTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedTlsVersion": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlDbTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "parameters": { + "effect": { + "value": "[parameters('FunctionAppTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "parameters": { + "effect": { + "value": "[parameters('LogicAppTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", + "parameters": { + "effect": { + "value": "[parameters('logicAppHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "parameters": { + "effect": { + "value": "[parameters('functionAppSlotsTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppsTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "parameters": { + "effect": { + "value": "[parameters('appServiceTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppSlotTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", + "parameters": { + "effect": { + "value": "[parameters('functionAppSlotsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FunctionApp-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "parameters": { + "effect": { + "value": "[parameters('functionAppHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppSlotsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerApps-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[parameters('containerAppsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-MINTLS", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS", + "parameters": { + "effect": { + "value": "[parameters('eventHubMinTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", + "parameters": { + "effect": { + "value": "[parameters('sqlManagedTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "parameters": { + "effect": { + "value": "[parameters('sqlDbTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "parameters": { + "effect": { + "value": "[parameters('synapseTlsVersion')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json new file mode 100644 index 000000000..395df58bb --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json @@ -0,0 +1,234 @@ +{ + "name": "Enforce-Guardrails-APIM", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for API Management", + "description": "This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "API Management", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "apiSubscriptionScope": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "minimumApiVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimSkuVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "apimApiBackendCertValidation": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimDirectApiEndpoint": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimCallApiAuthn": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimEncryptedProtocols": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimVnetUsage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimSecrets": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Apim-without-Kv", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", + "parameters": { + "effect": { + "value": "[parameters('apimSecrets')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-without-Vnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", + "parameters": { + "effect": { + "value": "[parameters('apimVnetUsage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-APIM-TLS", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS", + "parameters": { + "effect": { + "value": "[parameters('apimTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Protocols", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4", + "parameters": { + "effect": { + "value": "[parameters('apimEncryptedProtocols')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Authn", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54", + "parameters": { + "effect": { + "value": "[parameters('apimCallApiAuthn')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Direct-Endpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4", + "parameters": { + "effect": { + "value": "[parameters('apimDirectApiEndpoint')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Cert-Validation", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4", + "parameters": { + "effect": { + "value": "[parameters('apimApiBackendCertValidation')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Apim-Public-NetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2", + "parameters": { + "effect": { + "value": "[parameters('apimDisablePublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Sku-Vnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5", + "parameters": { + "effect": { + "value": "[parameters('apimSkuVnet')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Apim-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67", + "parameters": { + "effect": { + "value": "[parameters('minimumApiVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Api-subscription-scope", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1", + "parameters": { + "effect": { + "value": "[parameters('apiSubscriptionScope')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json new file mode 100644 index 000000000..a571fb9c4 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json @@ -0,0 +1,367 @@ +{ + "name": "Enforce-Guardrails-AppServices", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for App Service", + "description": "This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "functionAppDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceDisableLocalAuth": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceSkuPl": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceDisableLocalAuthFtp": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceRouting": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceScmAuth": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceRfc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsRfc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsVnetRouting": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceEnvLatestVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceByoc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppSlotsModifyHttps": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppHttps": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "functionAppSlotsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-AppService-Byoc", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC", + "parameters": { + "effect": { + "value": "[parameters('appServiceByoc')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppsRemoteDebugging')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppSlotsRemoteDebugging')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Latest-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a", + "parameters": { + "effect": { + "value": "[parameters('appServiceEnvLatestVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Vnet-Routing", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppsVnetRouting')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Rfc", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1", + "parameters": { + "effect": { + "value": "[parameters('appServiceRfc')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppServiceApps-Rfc", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppsRfc')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-FuncApp-Debugging", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb", + "parameters": { + "effect": { + "value": "[parameters('functionAppDebugging')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-AppService-ScmAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79", + "parameters": { + "effect": { + "value": "[parameters('appServiceScmAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppServ-Routing", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4", + "parameters": { + "effect": { + "value": "[parameters('appServiceRouting')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppServ-FtpAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5", + "parameters": { + "effect": { + "value": "[parameters('appServiceDisableLocalAuthFtp')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppServ-SkuPl", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5", + "parameters": { + "effect": { + "value": "[parameters('appServiceSkuPl')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-AppService-LocalAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae", + "parameters": { + "effect": { + "value": "[parameters('appServiceDisableLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-AppService-Debugging", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b", + "parameters": { + "effect": { + "value": "[parameters('functionAppDebugging')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b", + "parameters": { + "effect": { + "value": "[parameters('functionAppSlotsModifyHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-AppService-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c", + "parameters": { + "effect": { + "value": "[parameters('functionAppSlotsModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-AppService-Apps-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppsModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-AppService-App-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json new file mode 100644 index 000000000..27e5cb41c --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json @@ -0,0 +1,137 @@ +{ + "name": "Enforce-Guardrails-Automation", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Automation Account", + "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Automation", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "aaModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "aaVariablesEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaManagedIdentity": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "autoHotPatch": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Windows-Vm-HotPatch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc", + "parameters": { + "effect": { + "value": "[parameters('autoHotPatch')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0", + "parameters": { + "effect": { + "value": "[parameters('aaManagedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", + "parameters": { + "effect": { + "value": "[parameters('aaLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "parameters": { + "effect": { + "value": "[parameters('aaVariablesEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", + "parameters": { + "effect": { + "value": "[parameters('aaModifyLocalAUth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", + "parameters": { + "effect": { + "value": "[parameters('aaModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json new file mode 100644 index 000000000..a10aab0ab --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json @@ -0,0 +1,118 @@ +{ + "name": "Enforce-Guardrails-CognitiveServices", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Cognitive Services", + "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cognitiveSearchSku": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveSearchLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyCognitiveSearchLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyCognitiveSearchPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cognitiveServicesModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-CognitiveSearch-SKU", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", + "parameters": { + "effect": { + "value": "[parameters('cognitiveSearchSku')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-CongitiveSearch-LocalAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91", + "parameters": { + "effect": { + "value": "[parameters('cognitiveSearchLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-CogntiveSearch-LocalAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75", + "parameters": { + "effect": { + "value": "[parameters('modifyCognitiveSearchLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-CogntiveSearch-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30", + "parameters": { + "effect": { + "value": "[parameters('modifyCognitiveSearchPublicEndpoint')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json new file mode 100644 index 000000000..856e612df --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json @@ -0,0 +1,64 @@ +{ + "name": "Enforce-Guardrails-Compute", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Compute", + "description": "This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Compute", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "diskDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vmAndVmssEncryptionHost": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-VmAndVmss-Encryption-Host", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", + "parameters": { + "effect": { + "value": "[parameters('vmAndVmssEncryptionHost')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Disk-Double-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", + "parameters": { + "effect": { + "value": "[parameters('diskDoubleEncryption')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json new file mode 100644 index 000000000..5477729a9 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json @@ -0,0 +1,64 @@ +{ + "name": "Enforce-Guardrails-ContainerApps", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Apps", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerAppsManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerAppsVnetInjection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-ContainerApp-Vnet-Injection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb", + "parameters": { + "effect": { + "value": "[parameters('containerAppsVnetInjection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerApps-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7", + "parameters": { + "effect": { + "value": "[parameters('containerAppsManagedIdentity')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json new file mode 100644 index 000000000..6ec4c7dac --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json @@ -0,0 +1,43 @@ +{ + "name": "Enforce-Guardrails-ContainerInstance", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Instance", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Instances", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerInstanceVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": { + "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", + "parameters": { + "effect": { + "value": "[parameters('containerInstanceVnet')]" + } + }, + "groupNames": [] + }, + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json new file mode 100644 index 000000000..edb893f56 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json @@ -0,0 +1,249 @@ +{ + "name": "Enforce-Guardrails-ContainerRegistry", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Registry", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Registry", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerRegistryUnrestrictedNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryRepositoryToken": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyRepositoryToken": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryExports": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryAnAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyAnAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistrySkuPrivateLink": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryArmAudience": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyArmAudience": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Repo-Token", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryModifyRepositoryToken')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Arm-Audience", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryArmAudience')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Arm-Audience", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryModifyArmAudience')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Sku-PrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13", + "parameters": { + "effect": { + "value": "[parameters('containerRegistrySkuPrivateLink')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Anonymous-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryModifyAnAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Anonymous-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryAnAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Exports", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryExports')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Repo-Token", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryRepositoryToken')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Unrestricted-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryUnrestrictedNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9", + "parameters": { + "effect": { + "value": "[parameters('containerRegistryModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json new file mode 100644 index 000000000..8fd6bbca9 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json @@ -0,0 +1,124 @@ +{ + "name": "Enforce-Guardrails-CosmosDb", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Cosmos DB", + "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cosmos DB", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cosmosDbLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cosmosDbFwRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cosmosDbAtp": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "cosmosDbModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cosmosDbModifyPublicAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Modify-CosmosDb-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", + "parameters": { + "effect": { + "value": "[parameters('cosmosDbModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-CosmosDb-Atp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656", + "parameters": { + "effect": { + "value": "[parameters('cosmosDbAtp')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "parameters": { + "effect": { + "value": "[parameters('cosmosDbFwRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-CosmosDb-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "parameters": { + "effect": { + "value": "[parameters('cosmosDbLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Append-CosmosDb-Metadata", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-CosmosDb-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088", + "parameters": { + "effect": { + "value": "[parameters('cosmosDbModifyPublicAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json new file mode 100644 index 000000000..5a53702d3 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-DataExplorer", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Data Explorer", + "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Azure Data Explorer", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "adxEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxSku": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-ADX-Sku-without-PL-Support", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b", + "parameters": { + "effect": { + "value": "[parameters('adxSku')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ADX-Double-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1", + "parameters": { + "effect": { + "value": "[parameters('adxDoubleEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ADX-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", + "parameters": { + "effect": { + "value": "[parameters('adxEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ADX-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa", + "parameters": { + "effect": { + "value": "[parameters('adxModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json new file mode 100644 index 000000000..0c87a56ff --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json @@ -0,0 +1,120 @@ +{ + "name": "Enforce-Guardrails-DataFactory", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Data Factory", + "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Data Factory", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "adfSqlIntegration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfLinkedServiceKeyVault": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfGit": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Adf-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a", + "parameters": { + "effect": { + "value": "[parameters('adfManagedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Git", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307", + "parameters": { + "effect": { + "value": "[parameters('adfGit')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Linked-Service-Key-Vault", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0", + "parameters": { + "effect": { + "value": "[parameters('adfLinkedServiceKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Sql-Integration", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952", + "parameters": { + "effect": { + "value": "[parameters('adfSqlIntegration')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Adf-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7", + "parameters": { + "effect": { + "value": "[parameters('adfModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json new file mode 100644 index 000000000..98870d1d7 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json @@ -0,0 +1,173 @@ +{ + "name": "Enforce-Guardrails-EventGrid", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Event Grid", + "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Event Grid", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "eventGridLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPartnerNamespaceLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPartnerNamespaceModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridTopicLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridTopicModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridDomainModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridDomainModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridTopicModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Modify-EventGrid-Partner-Namespace-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924", + "parameters": { + "effect": { + "value": "[parameters('eventGridPartnerNamespaceModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1", + "parameters": { + "effect": { + "value": "[parameters('eventGridDomainModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c", + "parameters": { + "effect": { + "value": "[parameters('eventGridTopicLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04", + "parameters": { + "effect": { + "value": "[parameters('eventGridTopicModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EventGrid-Partner-Namespace-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e", + "parameters": { + "effect": { + "value": "[parameters('eventGridPartnerNamespaceLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EventGrid-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd", + "parameters": { + "effect": { + "value": "[parameters('eventGridLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4", + "parameters": { + "effect": { + "value": "[parameters('eventGridDomainModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172", + "parameters": { + "effect": { + "value": "[parameters('eventGridTopicModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json new file mode 100644 index 000000000..7b1a8fda5 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-EventHub", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Event Hub", + "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "eventHubAuthRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventHubNamespacesDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-EH-Double-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c", + "parameters": { + "effect": { + "value": "[parameters('eventHubNamespacesDoubleEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-EH-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d", + "parameters": { + "effect": { + "value": "[parameters('eventHubNamespacesModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598", + "parameters": { + "effect": { + "value": "[parameters('eventHubNamespacesLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-Auth-Rules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7", + "parameters": { + "effect": { + "value": "[parameters('eventHubAuthRules')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json index f28118a95..1663c22df 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Azure Key Vault", "description": "Enforce recommended guardrails for Azure Key Vault.", "metadata": { - "version": "1.0.0", + "version": "2.0.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -156,6 +156,292 @@ "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." }, "defaultValue": 90 + }, + "keyVaultCheckMinimumRSACertificateSize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultMinimumRSACertificateSizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultManagedHsmCheckMinimumRSAKeySize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultManagedHsmMinimumRSAKeySizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultCheckMinimumRSAKeySize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultMinimumRSAKeySizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultArmRbac": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHmsPurgeProtection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultCertificatesPeriod": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultCertValidPeriod": { + "type": "integer", + "defaultValue": 12 + }, + "keyVaultHmsKeysExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysValidPeriod": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsValidPeriod": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secretsValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keyVaultCertKeyTypes": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultEllipticCurve": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCryptographicType": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysActive": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keysCurveNames": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secretsActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsActive": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultSecretContentType": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultNonIntegratedCa": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultNonIntegratedCaValue": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "The common name of the certificate authority", + "description": "The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso" + } + }, + "keyVaultIntegratedCa": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultIntegratedCaValue": { + "type": "array", + "defaultValue": [ + "DigiCert", + "GlobalSign" + ] + }, + "keyVaultHsmMinimumDaysBeforeExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHsmMinimumDaysBeforeExpirationValue": { + "type": "integer", + "defaultValue": 90 + }, + "keyVaultHmsCurveNames": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHmsCurveNamesValue": { + "type": "array", + "defaultValue": [ + "P-256", + "P-256K", + "P-384", + "P-521" + ] + }, + "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue": { + "type": "integer", + "defaultValue": 90 } }, "policyDefinitions": [ @@ -250,6 +536,255 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinCertSize", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0", + "parameters": { + "effect": { + "value": "[parameters('keyVaultCheckMinimumRSACertificateSize')]" + }, + "minimumRSAKeySize": { + "value": "[parameters('keyVaultMinimumRSACertificateSizeValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57", + "parameters": { + "effect": { + "value": "[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinKeySize", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9", + "parameters": { + "effect": { + "value": "[parameters('keyVaultCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[parameters('keyVaultMinimumRSAKeySizeValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-without-ArmRbac", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5", + "parameters": { + "effect": { + "value": "[parameters('keyVaultArmRbac')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Hms-PurgeProtection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383", + "parameters": { + "effect": { + "value": "[parameters('keyVaultHmsPurgeProtection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Cert-Period", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560", + "parameters": { + "effect": { + "value": "[parameters('keyVaultCertificatesPeriod')]" + }, + "maximumValidityInMonths": { + "value": "[parameters('keyVaultCertValidPeriod')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Hms-Key-Expire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5", + "parameters": { + "effect": { + "value": "[parameters('keyVaultHmsKeysExpiration')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Keys-Expire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9", + "parameters": { + "effect": { + "value": "[parameters('keysValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[parameters('keysValidityInDays')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f", + "parameters": { + "effect": { + "value": "[parameters('secretsValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[parameters('secretsValidityInDays')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Key-Types", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f", + "parameters": { + "effect": { + "value": "[parameters('keyVaultCertKeyTypes')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf", + "parameters": { + "effect": { + "value": "[parameters('keyVaultEllipticCurve')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb", + "parameters": { + "effect": { + "value": "[parameters('keyVaultCryptographicType')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Key-Active", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9", + "parameters": { + "effect": { + "value": "[parameters('keysActive')]" + }, + "maximumValidityInDays": { + "value": "[parameters('keysActiveInDays')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Curve-Names", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", + "parameters": { + "effect": { + "value": "[parameters('keysCurveNames')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-KV-Secret-ActiveDays", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe", + "parameters": { + "effect": { + "value": "[parameters('secretsActive')]" + }, + "maximumValidityInDays": { + "value": "[parameters('secretsActiveInDays')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Secret-Content-Type", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3", + "parameters": { + "effect": { + "value": "[parameters('keyVaultSecretContentType')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Non-Integrated-Ca", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341", + "parameters": { + "effect": { + "value": "[parameters('keyVaultNonIntegratedCa')]" + }, + "caCommonName": { + "value": "[parameters('keyVaultNonIntegratedCaValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Integrated-Ca", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82", + "parameters": { + "effect": { + "value": "[parameters('keyVaultIntegratedCa')]" + }, + "allowedCAs": { + "value": "[parameters('keyVaultIntegratedCaValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Hsm-MinimumDays-Before-Expiration", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653", + "parameters": { + "effect": { + "value": "[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Hsm-Curve-Names", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e", + "parameters": { + "effect": { + "value": "[parameters('keyVaultHmsCurveNames')]" + }, + "allowedECNames": { + "value": "[parameters('keyVaultHmsCurveNamesValue')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427", + "parameters": { + "effect": { + "value": "[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]" + }, + "daysToExpire": { + "value": "[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json new file mode 100644 index 000000000..8b4b199fe --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json @@ -0,0 +1,62 @@ +{ + "name": "Enforce-Guardrails-KeyVault-Sup", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce additional recommended guardrails for Key Vault", + "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "keyVaultManagedHsmDisablePublicNetworkModify": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "keyVaultModifyFw": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Modify-KV-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456", + "parameters": { + "effect": { + "value": "[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-KV-Fw", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc", + "parameters": { + "effect": { + "value": "[parameters('keyVaultModifyFw')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json new file mode 100644 index 000000000..44ac2927e --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json @@ -0,0 +1,326 @@ +{ + "name": "Enforce-Guardrails-Kubernetes", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Kubernetes", + "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Kubernetes", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "aksKms": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "aksCni": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "aksLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivateCluster": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPolicy": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksCommandInvoke": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksReadinessOrLivenessProbes": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivContainers": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivEscalation": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksAllowedCapabilities": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksTempDisk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksInternalLb": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksDefaultNamespace": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksNakedPods": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksShareHostProcessAndNamespace": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksWindowsContainerAdministrator": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Aks-Windows-Container-Administrator", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75", + "parameters": { + "effect": { + "value": "[parameters('aksWindowsContainerAdministrator')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Shared-Host-Process-Namespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", + "parameters": { + "effect": { + "value": "[parameters('aksShareHostProcessAndNamespace')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Naked-Pods", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581", + "parameters": { + "effect": { + "value": "[parameters('aksNakedPods')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Default-Namespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", + "parameters": { + "effect": { + "value": "[parameters('aksDefaultNamespace')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Internal-Lb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e", + "parameters": { + "effect": { + "value": "[parameters('aksInternalLb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Temp-Disk-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c", + "parameters": { + "effect": { + "value": "[parameters('aksTempDisk')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Allowed-Capabilities", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", + "parameters": { + "effect": { + "value": "[parameters('aksAllowedCapabilities')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Priv-Escalation", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "parameters": { + "effect": { + "value": "[parameters('aksPrivEscalation')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Priv-Containers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "parameters": { + "effect": { + "value": "[parameters('aksPrivContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-ReadinessOrLiveness-Probes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915", + "parameters": { + "effect": { + "value": "[parameters('aksReadinessOrLivenessProbes')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Aks-Command-Invoke", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc", + "parameters": { + "effect": { + "value": "[parameters('aksCommandInvoke')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Aks-Policy", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "parameters": { + "effect": { + "value": "[parameters('aksPolicy')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Private-Cluster", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "parameters": { + "effect": { + "value": "[parameters('aksPrivateCluster')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32", + "parameters": { + "effect": { + "value": "[parameters('aksLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Kms", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008", + "parameters": { + "effect": { + "value": "[parameters('aksKms')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Aks-Cni", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67", + "parameters": { + "effect": { + "value": "[parameters('aksCni')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json new file mode 100644 index 000000000..a4a15c22a --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json @@ -0,0 +1,118 @@ +{ + "name": "Enforce-Guardrails-MachineLearning", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Machine Learning", + "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "mlUserAssignedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "mlLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlOutdatedOS": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-ML-Outdated-Os", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2", + "parameters": { + "effects": { + "value": "[parameters('mlOutdatedOS')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", + "parameters": { + "effect": { + "value": "[parameters('mlLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ML-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512", + "parameters": { + "effect": { + "value": "[parameters('mlModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-User-Assigned-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78", + "parameters": { + "effect": { + "value": "[parameters('mlUserAssignedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-ML-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f", + "parameters": { + "effect": { + "value": "[parameters('mlModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json new file mode 100644 index 000000000..269fca49c --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json @@ -0,0 +1,63 @@ +{ + "name": "Enforce-Guardrails-MySQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for MySQL", + "description": "This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "MySQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "mySqlInfraEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mySqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Dine-MySql-Adv-Threat-Protection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816", + "parameters": { + "effect": { + "value": "[parameters('mySqlAdvThreatProtection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-MySql-Infra-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4", + "parameters": { + "effect": { + "value": "[parameters('mySqlInfraEncryption')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json new file mode 100644 index 000000000..de94eb61a --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json @@ -0,0 +1,525 @@ +{ + "name": "Enforce-Guardrails-Network", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Network and Networking services", + "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "subnetUdr": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "subnetNsg": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "subnetServiceEndpoint": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appGwWaf": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vnetModifyDdos": { + "type": "string", + "defaultValue": "Modify" + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "wafMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "wafFwRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeAppGw": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeAppGwRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "denyMgmtFromInternet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "denyMgmtFromInternetPorts": { + "type": "Array", + "metadata": { + "displayName": "Ports", + "description": "Ports to be blocked" + }, + "defaultValue": [ + "22", + "3389" + ] + }, + "afwEnbaleTlsForAllAppRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableTlsInspection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEmptyIDPSBypassList": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableAllIDPSSignatureRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableIDPS": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafAfdEnabled": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vpnAzureAD": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appGwTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyUdr": { + "type": "string", + "defaultValue": "Disabled" + }, + "modifyUdrNextHopIpAddress": { + "type": "string", + "defaultValue": "" + }, + "modifyUdrNextHopType": { + "type": "string", + "defaultValue": "None" + }, + "modifyUdrAddressPrefix": { + "type": "string", + "defaultValue": "0.0.0.0/0" + }, + "modifyNsg": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyNsgRuleName": { + "type": "string", + "defaultValue": "DenyAnyInternetOutbound" + }, + "modifyNsgRulePriority": { + "type": "integer", + "defaultValue": 1000 + }, + "modifyNsgRuleDirection": { + "type": "string", + "defaultValue": "Outbound" + }, + "modifyNsgRuleAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyNsgRuleProtocol": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleSourceAddressPrefix": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleSourcePortRange": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleDestinationAddressPrefix": { + "type": "string", + "defaultValue": "Internet" + }, + "modifyNsgRuleDestinationPortRange": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleDescription": { + "type": "string", + "defaultValue": "Deny any outbound traffic to the Internet" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-VPN-AzureAD", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", + "parameters": { + "effect": { + "value": "[parameters('vpnAzureAD')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "parameters": { + "effect": { + "value": "[parameters('wafAfdEnabled')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Waf-IDPS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", + "parameters": { + "effect": { + "value": "[parameters('afwEnableIDPS')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", + "parameters": { + "effect": { + "value": "[parameters('afwEnableAllIDPSSignatureRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", + "parameters": { + "effect": { + "value": "[parameters('afwEmptyIDPSBypassList')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", + "parameters": { + "effect": { + "value": "[parameters('afwEnableTlsInspection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", + "parameters": { + "effect": { + "value": "[parameters('afwEnbaleTlsForAllAppRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", + "parameters": { + "effect": { + "value": "[parameters('wafModeAppGw')]" + }, + "modeRequirement": { + "value": "[parameters('wafModeAppGwRequirement')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", + "parameters": { + "effect": { + "value": "[parameters('wafFwRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Waf-mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", + "parameters": { + "effect": { + "value": "[parameters('wafMode')]" + }, + "modeRequirement": { + "value": "[parameters('wafModeRequirement')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-vNet-DDoS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "parameters": { + "effect": { + "value": "[parameters('vnetModifyDdos')]" + }, + "ddosPlan": { + "value": "[parameters('ddosPlanResourceId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Ip-Forwarding", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-vNic-Pip", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "parameters": { + "effect": { + "value": "[parameters('appGwWaf')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Subnet-Without-UDR", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-UDR", + "parameters": { + "effect": { + "value": "[parameters('subnetUdr')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "parameters": { + "effect": { + "value": "[parameters('subnetNsg')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints", + "parameters": { + "effect": { + "value": "[parameters('subnetServiceEndpoint')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Mgmt-From-Internet", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", + "parameters": { + "effect": { + "value": "[parameters('denyMgmtFromInternet')]" + }, + "ports": { + "value": "[parameters('denyMgmtFromInternetPorts')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppGw-Without-Tls", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls", + "parameters": { + "effect": { + "value": "[parameters('appGwTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Udr", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR", + "parameters": { + "effect": { + "value": "[parameters('modifyUdr')]" + }, + "nextHopIpAddress": { + "value": "[parameters('modifyUdrNextHopIpAddress')]" + }, + "nextHopType": { + "value": "[parameters('modifyUdrNextHopType')]" + }, + "addressPrefix": { + "value": "[parameters('modifyUdrAddressPrefix')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Nsg", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG", + "parameters": { + "effect": { + "value": "[parameters('modifyNsg')]" + }, + "nsgRuleName": { + "value": "[parameters('modifyNsgRuleName')]" + }, + "nsgRulePriority": { + "value": "[parameters('modifyNsgRulePriority')]" + }, + "nsgRuleDirection": { + "value": "[parameters('modifyNsgRuleDirection')]" + }, + "nsgRuleAccess": { + "value": "[parameters('modifyNsgRuleAccess')]" + }, + "nsgRuleProtocol": { + "value": "[parameters('modifyNsgRuleProtocol')]" + }, + "nsgRuleSourceAddressPrefix": { + "value": "[parameters('modifyNsgRuleSourceAddressPrefix')]" + }, + "nsgRuleSourcePortRange": { + "value": "[parameters('modifyNsgRuleSourcePortRange')]" + }, + "nsgRuleDestinationAddressPrefix": { + "value": "[parameters('modifyNsgRuleDestinationAddressPrefix')]" + }, + "nsgRuleDestinationPortRange": { + "value": "[parameters('modifyNsgRuleDestinationPortRange')]" + }, + "nsgRuleDescription": { + "value": "[parameters('modifyNsgRuleDescription')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json new file mode 100644 index 000000000..f58a16c10 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json @@ -0,0 +1,139 @@ +{ + "name": "Enforce-Guardrails-OpenAI", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", + "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cognitiveServicesOutboundNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesNetworkAcls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesModifyDisableLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cognitiveServicesDisableLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesCustomerStorage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-OpenAi-OutboundNetworkAccess", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesOutboundNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-OpenAi-NetworkAcls", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesNetworkAcls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesManagedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesDisableLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Cust-Storage", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesCustomerStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesModifyDisableLocalAuth')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json new file mode 100644 index 000000000..6c4efa8fe --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json @@ -0,0 +1,42 @@ +{ + "name": "Enforce-Guardrails-PostgreSQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for PostgreSQL", + "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "postgreSqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + } + }, + "policyDefinitions": { + "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", + "parameters": { + "effect": { + "value": "[parameters('postgreSqlAdvThreatProtection')]" + } + }, + "groupNames": [] + }, + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json new file mode 100644 index 000000000..35e5d0060 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-ServiceBus", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Service Bus", + "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Service Bus", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "serviceBusModifyDisableLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "serviceBusDenyDisabledLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusAuthzRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Sb-Authz-Rules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", + "parameters": { + "effect": { + "value": "[parameters('serviceBusAuthzRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sb-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b", + "parameters": { + "effect": { + "value": "[parameters('serviceBusDoubleEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sb-LocalAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af", + "parameters": { + "effect": { + "value": "[parameters('serviceBusDenyDisabledLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Sb-LocalAuth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e", + "parameters": { + "effect": { + "value": "[parameters('serviceBusModifyDisableLocalAuth')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json new file mode 100644 index 000000000..26a05fd68 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json @@ -0,0 +1,106 @@ +{ + "name": "Enforce-Guardrails-SQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for SQL and SQL Managed Instance", + "description": "This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "sqlManagedAadOnly": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlAadOnly": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "modifySqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Dine-Sql-Managed-Defender", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd", + "parameters": { + "effect": { + "value": "[parameters('sqlManagedDefender')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Aad-Only", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", + "parameters": { + "effect": { + "value": "[parameters('sqlAadOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Aad-Only", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", + "parameters": { + "effect": { + "value": "[parameters('sqlManagedAadOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Sql-Adv-Data", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Sql-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b", + "parameters": { + "effect": { + "value": "[parameters('modifySqlPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json new file mode 100644 index 000000000..9170d16eb --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json @@ -0,0 +1,463 @@ +{ + "name": "Enforce-Guardrails-Storage", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Storage Account", + "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "storageKeysExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountRestrictNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "storageClassicToArm": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsInfraEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountSharedKey": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsCrossTenant": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsCopyScope": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsAllowedCopyScope": { + "type": "string", + "defaultValue": "AAD" + }, + "storageServicesEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageLocalUser": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageSftp": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageNetworkAclsBypass": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAllowedNetworkAclsBypass": { + "type": "array", + "defaultValue": [ + "None" + ] + }, + "storageResourceAccessRulesTenantId": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageResourceAccessRulesResourceId": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageNetworkAclsVirtualNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageContainerDeleteRetentionPolicy": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageMinContainerDeleteRetentionInDays": { + "type": "Integer", + "defaultValue": 7 + }, + "storageCorsRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyStorageFileSyncPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyStorageAccountPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "storageAccountsModifyDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-Storage-CopyScope", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsCopyScope')]" + }, + "allowedCopyScope": { + "value": "[parameters('storageAccountsAllowedCopyScope')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption", + "parameters": { + "effect": { + "value": "[parameters('storageServicesEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-LocalUser", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser", + "parameters": { + "effect": { + "value": "[parameters('storageLocalUser')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Sftp", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-Sftp", + "parameters": { + "effect": { + "value": "[parameters('storageSftp')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass", + "parameters": { + "effect": { + "value": "[parameters('storageNetworkAclsBypass')]" + }, + "allowedBypassOptions": { + "value": "[parameters('storageAllowedNetworkAclsBypass')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId", + "parameters": { + "effect": { + "value": "[parameters('storageResourceAccessRulesTenantId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId", + "parameters": { + "effect": { + "value": "[parameters('storageResourceAccessRulesResourceId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules", + "parameters": { + "effect": { + "value": "[parameters('storageNetworkAclsVirtualNetworkRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy", + "parameters": { + "effect": { + "value": "[parameters('storageContainerDeleteRetentionPolicy')]" + }, + "minContainerDeleteRetentionInDays": { + "value": "[parameters('storageMinContainerDeleteRetentionInDays')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-CorsRules", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules", + "parameters": { + "effect": { + "value": "[parameters('storageCorsRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsDoubleEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsCrossTenant')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Shared-Key", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", + "parameters": { + "effect": { + "value": "[parameters('storageAccountSharedKey')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsInfraEncryption')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Classic", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", + "parameters": { + "effect": { + "value": "[parameters('storageClassicToArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Storage-Threat-Protection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c", + "parameters": { + "effect": { + "value": "[parameters('storageThreatProtection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "parameters": { + "effect": { + "value": "[parameters('storageAccountRestrictNetworkRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-NetworkRules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", + "parameters": { + "effect": { + "value": "[parameters('storageAccountNetworkRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", + "parameters": { + "effect": { + "value": "[parameters('storageKeysExpiration')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b", + "parameters": { + "effect": { + "value": "[parameters('modifyStorageFileSyncPublicEndpoint')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", + "parameters": { + "effect": { + "value": "[parameters('modifyStorageAccountPublicEndpoint')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsModifyDisablePublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json new file mode 100644 index 000000000..96b0213ea --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json @@ -0,0 +1,202 @@ +{ + "name": "Enforce-Guardrails-Synapse", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Synapse workspaces", + "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Synapse", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "synapseLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseManagedVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseDataTraffic": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTenants": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseAllowedTenantIds": { + "type": "array", + "defaultValue": [ + "[subscription().tenantId]" + ] + }, + "synapseFwRules": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "synapseDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "synapseModifyTlsVersion": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "synapseModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Dine-Synapse-Defender", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6", + "parameters": { + "effect": { + "value": "[parameters('synapseDefender')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Synapse-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c", + "parameters": { + "effect": { + "value": "[parameters('synapseModifyLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Fw-Rules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8", + "parameters": { + "effect": { + "value": "[parameters('synapseFwRules')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Tenant-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0", + "parameters": { + "effect": { + "value": "[parameters('synapseTenants')]" + }, + "allowedTenantIds": { + "value": "[parameters('synapseAllowedTenantIds')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Data-Traffic", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218", + "parameters": { + "effect": { + "value": "[parameters('synapseDataTraffic')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Managed-Vnet", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650", + "parameters": { + "effect": { + "value": "[parameters('synapseManagedVnet')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", + "parameters": { + "effect": { + "value": "[parameters('synapseLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Synapse-Tls-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140", + "parameters": { + "effect": { + "value": "[parameters('synapseModifyTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Synapse-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a", + "parameters": { + "effect": { + "value": "[parameters('synapseModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json new file mode 100644 index 000000000..c65b0f739 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json @@ -0,0 +1,62 @@ +{ + "name": "Enforce-Guardrails-VirtualDesktop", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Virtual Desktop", + "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "avdWorkspaceModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "avdHostPoolModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Modify-Workspace-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f", + "parameters": { + "effect": { + "value": "[parameters('avdWorkspaceModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Hostpool-PublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d", + "parameters": { + "effect": { + "value": "[parameters('avdHostPoolModifyPublicNetworkAccess')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file