Update Library Templates (automated)

modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json

@@ -10,13 +10,20 @@
       "Deny-Subnet-Without-Nsg",
       "Deploy-AKS-Policy",
       "Deploy-AzSqlDb-Auditing",
+      "Deploy-MDFC-DefSQL-AMA",
       "Deploy-SQL-TDE",
       "Deploy-SQL-Threat",
       "Deploy-VM-Backup",
+      "Deploy-VM-ChangeTrack",
+      "Deploy-VM-Monitoring",
+      "Deploy-vmArc-ChangeTrack",
+      "Deploy-VMSS-ChangeTrack",
+      "Deploy-VMSS-Monitoring",
+      "Enable-AUM-CheckUpdates",
       "Enable-DDoS-VNET",
       "Enforce-AKS-HTTPS",
       "Enforce-GR-KeyVault",
-      "Enforce-TLS-SSL"
+      "Enforce-TLS-SSL-H224"
     ],
     "policy_definitions": [],
     "policy_set_definitions": [],

modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json

@@ -1,6 +1,14 @@
 {
   "es_platform": {
     "policy_assignments": [
+      "DenyAction-Resource-Del",
+      "Deploy-MDFC-DefSQL-AMA",
+      "Deploy-VM-ChangeTrack",
+      "Deploy-VM-Monitoring",
+      "Deploy-vmArc-ChangeTrack",
+      "Deploy-VMSS-ChangeTrack",
+      "Deploy-VMSS-Monitoring",
+      "Enable-AUM-CheckUpdates",
       "Enforce-GR-KeyVault"
     ],
     "policy_definitions": [],

modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json

@@ -1,18 +1,20 @@
 {
   "es_root": {
     "policy_assignments": [
+      "Audit-ResourceRGLocation",
+      "Audit-TrustedLaunch",
       "Audit-UnusedResources",
+      "Audit-ZoneResiliency",
       "Deny-Classic-Resources",
       "Deny-UnmanagedDisk",
       "Deploy-ASC-Monitoring",
       "Deploy-AzActivity-Log",
+      "Deploy-Diag-Logs",
       "Deploy-MDEndpoints",
-      "Deploy-MDFC-Config",
+      "Deploy-MDEndpointsAMA",
+      "Deploy-MDFC-Config-H224",
       "Deploy-MDFC-OssDb",
       "Deploy-MDFC-SqlAtp",
-      "Deploy-Resource-Diag",
-      "Deploy-VM-Monitoring",
-      "Deploy-VMSS-Monitoring",
       "Enforce-ACSB"
     ],
     "policy_definitions": [
@@ -28,17 +30,28 @@
       "Audit-PublicIpAddresses-UnusedResourcesCostOptimization",
       "Audit-ServerFarms-UnusedResourcesCostOptimization",
       "Deny-AA-child-resources",
+      "Deny-APIM-TLS",
+      "Deny-AppGw-Without-Tls",
       "Deny-AppGW-Without-WAF",
+      "Deny-AppService-without-BYOC",
       "Deny-AppServiceApiApp-http",
       "Deny-AppServiceFunctionApp-http",
       "Deny-AppServiceWebApp-http",
+      "Deny-AzFw-Without-Policy",
+      "Deny-CognitiveServices-NetworkAcls",
+      "Deny-CognitiveServices-Resource-Kinds",
+      "Deny-CognitiveServices-RestrictOutboundNetworkAccess",
       "Deny-Databricks-NoPublicIp",
       "Deny-Databricks-Sku",
       "Deny-Databricks-VirtualNetwork",
+      "Deny-EH-minTLS",
+      "Deny-EH-Premium-CMK",
       "Deny-FileServices-InsecureAuth",
       "Deny-FileServices-InsecureKerberos",
       "Deny-FileServices-InsecureSmbChannel",
       "Deny-FileServices-InsecureSmbVersions",
+      "Deny-LogicApp-Public-Network",
+      "Deny-LogicApps-Without-Https",
       "Deny-MachineLearning-Aks",
       "Deny-MachineLearning-Compute-SubnetId",
       "Deny-MachineLearning-Compute-VmSize",
@@ -55,9 +68,19 @@
       "Deny-PublicIP",
       "Deny-RDP-From-Internet",
       "Deny-Redis-http",
+      "Deny-Service-Endpoints",
       "Deny-Sql-minTLS",
       "Deny-SqlMi-minTLS",
+      "Deny-Storage-ContainerDeleteRetentionPolicy",
+      "Deny-Storage-CopyScope",
+      "Deny-Storage-CorsRules",
+      "Deny-Storage-LocalUser",
       "Deny-Storage-minTLS",
+      "Deny-Storage-NetworkAclsBypass",
+      "Deny-Storage-NetworkAclsVirtualNetworkRules",
+      "Deny-Storage-ResourceAccessRulesResourceId",
+      "Deny-Storage-ResourceAccessRulesTenantId",
+      "Deny-Storage-ServicesEncryption",
       "Deny-Storage-SFTP",
       "Deny-StorageAccount-CustomDomain",
       "Deny-Subnet-Without-Nsg",
@@ -127,10 +150,17 @@
       "Deploy-Diagnostics-WVDHostPools",
       "Deploy-Diagnostics-WVDWorkspace",
       "Deploy-FirewallPolicy",
+      "Deploy-LogicApp-TLS",
+      "Deploy-MDFC-Arc-SQL-DCR-Association",
+      "Deploy-MDFC-Arc-Sql-DefenderSQL-DCR",
+      "Deploy-MDFC-SQL-AMA",
+      "Deploy-MDFC-SQL-DefenderSQL-DCR",
+      "Deploy-MDFC-SQL-DefenderSQL",
       "Deploy-MySQL-sslEnforcement",
       "Deploy-Nsg-FlowLogs-to-LA",
       "Deploy-Nsg-FlowLogs",
       "Deploy-PostgreSQL-sslEnforcement",
+      "Deploy-Private-DNS-Generic",
       "Deploy-Sql-AuditingSettings",
       "Deploy-SQL-minTLS",
       "Deploy-Sql-SecurityAlertPolicies",
@@ -139,24 +169,59 @@
       "Deploy-Sql-vulnerabilityAssessments",
       "Deploy-SqlMi-minTLS",
       "Deploy-Storage-sslEnforcement",
+      "Deploy-UserAssignedManagedIdentity-VMInsights",
       "Deploy-Vm-autoShutdown",
       "Deploy-VNET-HubSpoke",
-      "Deploy-Windows-DomainJoin"
+      "Deploy-Windows-DomainJoin",
+      "Modify-NSG",
+      "Modify-UDR"
     ],
     "policy_set_definitions": [
+      "Audit-TrustedLaunch",
       "Audit-UnusedResourcesCostOptimization",
       "Deny-PublicPaaSEndpoints",
       "DenyAction-DeleteProtection",
+      "Deploy-AUM-CheckUpdates",
       "Deploy-Diagnostics-LogAnalytics",
+      "Deploy-MDFC-Config_20240319",
       "Deploy-MDFC-Config",
+      "Deploy-MDFC-DefenderSQL-AMA",
       "Deploy-Private-DNS-Zones",
+      "Deploy-Sql-Security_20240529",
       "Deploy-Sql-Security",
       "Enforce-ACSB",
       "Enforce-ALZ-Decomm",
       "Enforce-ALZ-Sandbox",
+      "Enforce-Backup",
       "Enforce-Encryption-CMK",
+      "Enforce-EncryptTransit_20240509",
       "Enforce-EncryptTransit",
-      "Enforce-Guardrails-KeyVault"
+      "Enforce-Guardrails-APIM",
+      "Enforce-Guardrails-AppServices",
+      "Enforce-Guardrails-Automation",
+      "Enforce-Guardrails-CognitiveServices",
+      "Enforce-Guardrails-Compute",
+      "Enforce-Guardrails-ContainerApps",
+      "Enforce-Guardrails-ContainerInstance",
+      "Enforce-Guardrails-ContainerRegistry",
+      "Enforce-Guardrails-CosmosDb",
+      "Enforce-Guardrails-DataExplorer",
+      "Enforce-Guardrails-DataFactory",
+      "Enforce-Guardrails-EventGrid",
+      "Enforce-Guardrails-EventHub",
+      "Enforce-Guardrails-KeyVault-Sup",
+      "Enforce-Guardrails-KeyVault",
+      "Enforce-Guardrails-Kubernetes",
+      "Enforce-Guardrails-MachineLearning",
+      "Enforce-Guardrails-MySQL",
+      "Enforce-Guardrails-Network",
+      "Enforce-Guardrails-OpenAI",
+      "Enforce-Guardrails-PostgreSQL",
+      "Enforce-Guardrails-ServiceBus",
+      "Enforce-Guardrails-SQL",
+      "Enforce-Guardrails-Storage",
+      "Enforce-Guardrails-Synapse",
+      "Enforce-Guardrails-VirtualDesktop"
     ],
     "role_definitions": [
       "Network-Subnet-Contributor",

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json

@@ -33,7 +33,7 @@
           "privatelink.azurestaticapps.net",
           "privatelink.azuresynapse.net",
           "privatelink.azurewebsites.net",
-          "privatelink.${connectivity_location}.batch.azure.com",
+          "privatelink.batch.azure.com",
           "privatelink.blob.core.windows.net",
           "privatelink.cassandra.cosmos.azure.com",
           "privatelink.cognitiveservices.azure.com",

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Audit-ResourceRGLocation",
+  "dependsOn": [],
+  "properties": {
+    "description": "Resource Group and Resource locations should match.",
+    "displayName": "Resource Group and Resource locations should match",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a",
+    "enforcementMode": "Default",
+    "nonComplianceMessages": [
+      {
+        "message": "Resources {enforcementMode} be deployed in the same region as the Resource Group."
+      }
+    ],
+    "parameters": {},
+    "scope": "${current_scope_resource_id}",
+    "notScopes": []
+  },
+  "location": "${default_location}",
+  "identity": {
+    "type": "None"
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json

@@ -0,0 +1,28 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Audit-TrustedLaunch",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "properties": {
+    "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.",
+    "displayName": "Audit virtual machines for Trusted Launch support",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch",
+    "enforcementMode": "Default",
+    "nonComplianceMessages": [
+      {
+        "message": "Trust Launch {enforcementMode} be used on supported virtual machines for enhanced security."
+      }
+    ],
+    "parameters": {
+      "effect": {
+        "value": "Audit"
+      }
+    },
+    "scope": "${current_scope_resource_id}",
+    "notScopes": []
+  },
+  "identity": {
+    "type": "None"
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json

@@ -0,0 +1,31 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Audit-ZoneResiliency",
+  "dependsOn": [],
+  "properties": {
+    "description": "Resources should be Zone Resilient.",
+    "displayName": "Resources should be Zone Resilient",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5",
+    "enforcementMode": "Default",
+    "nonComplianceMessages": [
+      {
+        "message": "Resources {enforcementMode} be Zone Resilient."
+      }
+    ],
+    "parameters": {
+      "effect": {
+        "value": "Audit"
+      },
+      "allow": {
+        "value": "Both"
+      }
+    },
+    "scope": "${current_scope_resource_id}",
+    "notScopes": []
+  },
+  "location": "${default_location}",
+  "identity": {
+    "type": "None"
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_denyaction_resource_del.tmpl.json

@@ -0,0 +1,26 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "DenyAction-Resource-Del",
+  "dependsOn": [],
+  "properties": {
+    "description": "This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.",
+    "displayName": "Do not allow deletion of resource types",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78460a36-508a-49a4-b2b2-2f5ec564f4bb",
+    "enforcementMode": "Default",
+    "parameters": {
+      "effect": {
+        "value": "DenyAction"
+      },
+      "listOfResourceTypesDisallowedForDeletion": {
+        "value": []
+      }
+    },
+    "scope": "${current_scope_resource_id}",
+    "notScopes": []
+  },
+  "location": "${default_location}",
+  "identity": {
+    "type": "None"
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logs.tmpl.json

@@ -0,0 +1,28 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Deploy-Diag-Logs",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.",
+    "displayName": "Enable allLogs category group resource logging for supported resources to Log Analytics",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038",
+    "enforcementMode": "Default",
+    "nonComplianceMessages": [
+      {
+        "message": "Diagnostic settings {enforcementMode} be deployed to Azure services to forward logs to Log Analytics."
+      }
+    ],
+    "parameters": {
+      "logAnalytics": {
+        "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la"
+      }
+    },
+    "scope": "${current_scope_resource_id}",
+    "notScopes": []
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Deploy-MDEndpointsAMA",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.",
+    "displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3",
+    "enforcementMode": "Default",
+    "nonComplianceMessages": [
+      {
+        "message": "Microsoft Defender for Endpoint {enforcementMode} be deployed."
+      }
+    ],
+    "parameters": {},
+    "scope": "${current_scope_resource_id}",
+    "notScopes": []
+  }
+}