diff --git a/docs/02-Architecture.md b/docs/02-Architecture.md index 1f1d0dd..e4a155e 100644 --- a/docs/02-Architecture.md +++ b/docs/02-Architecture.md @@ -15,7 +15,7 @@ The assigned policies in each of the landing zones are designed to support the b The SLZ Preview deploys under the [tenant root group](https://learn.microsoft.com/azure/governance/management-groups/overview#root-management-group-for-each-directory) in Azure, so it can support brownfield deployments, greenfield deployments, and multiple SLZ Preview deployments within the same tenant based on customer need. The SLZ Preview can also be deployed to an arbitrary [child management group](scenarios/Piloting-SLZ.md), which is better suited for conducting a proof-of-concept. -![SLZ Preview Architecture Diagram](images/sovereign-scale-architecture.png) +![SLZ Initial Architecture Diagram](images/slz-initial-architecture.png) ## Next Step diff --git a/docs/04-Repository-Setup.md b/docs/04-Repository-Setup.md index 6e8453f..560cde1 100644 --- a/docs/04-Repository-Setup.md +++ b/docs/04-Repository-Setup.md @@ -12,7 +12,7 @@ For contributing and best practice for receiving updates, follow the steps outli git clone https://github.com/Azure/sovereign-landing-zone ``` #### Fork Repository - ![Fork Repository screenshot](images/forkgithubrepo.png) + ![Fork Repository screenshot](images/fork-github-repo.png) The version of the SLZ Preview being used can be determined from the [git tag](https://git-scm.com/docs/git-tag) or the [release version](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) the clone or fork was made from. @@ -20,7 +20,7 @@ The version of the SLZ Preview being used can be determined from the [git tag](h If you do not plan on contributing or do not intend to receive updates, you can simply download a copy of the [repository](https://github.com/Azure/sovereign-landing-zone) to your local machine, and unzip. - ![Screenshot of .zip download](images/downloadzipofrepo.png) + ![Screenshot of .zip download](images/download-github-repo.png) The version of the SLZ Preview being used can be determined from the [release version](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) the zip file was downloaded from. The version number will be in the file name of the zip file. diff --git a/docs/10-Compliance-Dashboard.md b/docs/10-Compliance-Dashboard.md index 05a41f6..2862486 100644 --- a/docs/10-Compliance-Dashboard.md +++ b/docs/10-Compliance-Dashboard.md @@ -15,20 +15,20 @@ The compliance dashboard is customizable and [can be extended](scenarios/Extendi | 1 | Overall resources compliance score | Indicates the number of resources in the SLZ Preview top-level management group are compliant with all policies applied within the SLZ Preview. This calculation is also inclusive of the policies and initiatives assigned by the customer. | | 2 | Overall data residency compliance score | Indicates the number of resources in the SLZ Preview top-level management group that are compliant with data residency policies applied within the SLZ Preview. | | 3 | Overall confidential compliance score | Indicates the number of resources in the SLZ Preview top-level management group are compliant with encryption policies meant to keep data confidential and encrypted from Microsoft as the cloud operator. Note that resources of a valid SKU do not contribute to the total resource count by design: [Update in Policy Compliance for Resource Type Policies](https://azure.microsoft.com/updates/general-availability-update-in-policy-compliance-for-resource-type-policies/) | -| 4 | Resources by compliance state | Number of resources that are in each compliance state as evaluated by Azure Policy. | +| 4 | Resource compliance by state | Number of resources that are in each compliance state as evaluated by Azure Policy. | | 5 | Resource compliance percentage by subscription | Resource compliance percentage for each subscription that has applicable resources under it. This count also includes compliance reports for resource group and subscription compliance. | -| 6 | Resource compliance percentage per policy initiative | Resource compliance percentage for each policy initiative that has applicable resources under it. Supports custom initiatives if the policy initiative is being applied to applicable resources. This count also includes compliance reports for resource group and subscription compliance. | -| 7 | Resource compliance percentage per policy group | Resource compliance percentage for each policy group (prefixed with dashboard-) that has applicable resources enumerated as a policy group in the SLZ Preview bicep. The calculations on this tile cannot be directly verified via the Azure Policy section of Azure portal. | -| 8 | Non-Compliant and Exempt resources | Non-compliant and exempt resources as well as relevant information to act against those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | -| 9 | Non-Compliant resources by location | Resources that are in regions outside of the custom defined safe regions list. The tile will only show resources that are in locations which are not allowed by the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy. | -| 10| Resource exemptions | Resources that have been made exempt to data residence policies with actionable information. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | -| 11 | Resources outside of safe regions | All non-compliant resources and their location with enough detail to act. The tile will show resources that are in locations which are exempted under the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy and there’s an exemption created for those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | -| 12 | Resource compliance score for encryption at rest policy group | Percentage of resources that are compliant with the encryption at rest policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. | -| 13 | Resource compliance score for encryption in transit policy group | Percentage of resources that are compliant with the data transit encryption policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. | -| 14 | Resource compliance score for confidential computing policy group | Percentage of resources that are compliant with the confidential computing policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. | -| 15 | Confidential resource exemptions | Shows the resources that have been made exempt from confidential policies with enough detail to act. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. Resources within the Confidential Corp and Confidential Online Management Groups are *NOT* expected to be exempt from the Allowed locations listed here as this tile shows the exemptions of the SlzConfidentialPolicies initiative. | - -![DashboardMarkup](images/github_compliance-dashboard.png) +| 6 | Resource compliance percentage by policy initiative | Resource compliance percentage for each policy initiative that has applicable resources under it. Supports custom initiatives if the policy initiative is being applied to applicable resources. This count also includes compliance reports for resource group and subscription compliance. | +| 7 | Resource compliance percentage by policy group | Resource compliance percentage for each policy group (prefixed with dashboard-) that has applicable resources enumerated as a policy group in the SLZ Preview bicep. The calculations on this tile cannot be directly verified via the Azure Policy section of Azure portal. | +| 8 | Non-Compliant and exempt resources | Non-compliant and exempt resources as well as relevant information to act against those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | +| 9 | Non-compliant resources by location | Resources that are in regions outside of the custom defined safe regions list. The tile will only show resources that are in locations which are not allowed by the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy. | +| 10| Resource exempt from data residency policies | Resources that have been made exempt to data residence policies with actionable information. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | +| 11 | Resources outside of approved regions | All non-compliant resources and their location with enough detail to act. The tile will show resources that are in locations which are exempted under the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy and there’s an exemption created for those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | +| 12 | Resource compliance score for encryption at rest policies | Percentage of resources that are compliant with the encryption at rest policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. | +| 13 | Resource compliance score for encryption in transit policies | Percentage of resources that are compliant with the data transit encryption policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. | +| 14 | Resource compliance score for confidential computing policies | Percentage of resources that are compliant with the confidential computing policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. | +| 15 | Resource exempt from confidential computing policies | Shows the resources that have been made exempt from confidential policies with enough detail to act. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. Resources within the Confidential Corp and Confidential Online Management Groups are *NOT* expected to be exempt from the Allowed locations listed here as this tile shows the exemptions of the SlzConfidentialPolicies initiative. | + +![DashboardMarkup](images/compliance-dashboard.png) ## Next step diff --git a/docs/12-FAQ.md b/docs/12-FAQ.md index 79c7de5..90bfdda 100644 --- a/docs/12-FAQ.md +++ b/docs/12-FAQ.md @@ -34,11 +34,11 @@ Elevating permissions is no longer required, but it may be useful for organizati If elevating permissions is the preferred route for your organization, you may get an error such as: -![AccessError](images/deployerror-vscode.png) +![AccessError](images/elevate-permissions-error.png) Navigate to the Azure Active Directory Properties screen and ensure `Access management for Azure resources` is set to `Yes`. -![AzurePermissions](images/access-permissions.png) +![AzurePermissions](images/access-management-permissions.png) ### Why am I still getting an error about permissions even after my permissions have been elevated? @@ -172,7 +172,7 @@ While it's recommended to wait for Azure to automatically clean up the deploymen } } - #fetch resourcegroups under the subscriptions and for each resource groups get the deployments name and delete the corresponding deployment from deployment history + #fetch resource groups under the subscriptions and for each resource groups get the deployments name and delete the corresponding deployment from deployment history $subscriptions | ForEach-Object { Set-AzContext -SubscriptionName $_.DisplayName Get-AzResourceGroup | ForEach-Object { diff --git a/docs/13-Troubleshooting.md b/docs/13-Troubleshooting.md index 31d97cd..f306511 100644 --- a/docs/13-Troubleshooting.md +++ b/docs/13-Troubleshooting.md @@ -8,13 +8,13 @@ When a user creates or updates the SLZ Preview, they will execute the `/orchestr Any time the user should be informed of a specific log, that log will start with `>>>` including when a deployment step is beginning or ending. When an error occurs, the current deployment step will be the last deployment step printed in the logs. The screenshot below shows an example for the bootstrap deployment step. -![SLZ Preview Deployment Step in Logs](images/ViewDeploymentStep.png) +![SLZ Preview Deployment Step in Logs](images/determine-deployment-steps.png) ## Determining Error from the Error Message When an error occurs, the error message will most often be presented in a human readable format in red text, with the relevant details being contained within the `Status Message` field as seen below or in a generic `Message` field. -![SLZ Preview Erro in Logs](images/ViewErrorFromLog.png) +![SLZ Preview Error in Logs](images/determine-error-message.png) ## Bootstrap Errors diff --git a/docs/images/LightHouseTenantID.png b/docs/images/LightHouseTenantID.png deleted file mode 100644 index 09d8577..0000000 Binary files a/docs/images/LightHouseTenantID.png and /dev/null differ diff --git a/docs/images/LighthouseSubscriptionID.png b/docs/images/LighthouseSubscriptionID.png deleted file mode 100644 index 4a0b3d9..0000000 Binary files a/docs/images/LighthouseSubscriptionID.png and /dev/null differ diff --git a/docs/images/Upgrade-ComplianceDetails.png b/docs/images/Upgrade-ComplianceDetails.png deleted file mode 100644 index b3bfb05..0000000 Binary files a/docs/images/Upgrade-ComplianceDetails.png and /dev/null differ diff --git a/docs/images/Upgrade-ManagementGroup.png b/docs/images/Upgrade-ManagementGroup.png deleted file mode 100644 index b6c1475..0000000 Binary files a/docs/images/Upgrade-ManagementGroup.png and /dev/null differ diff --git a/docs/images/Upgrade-ManagementGroupDetail.png b/docs/images/Upgrade-ManagementGroupDetail.png deleted file mode 100644 index c2d6424..0000000 Binary files a/docs/images/Upgrade-ManagementGroupDetail.png and /dev/null differ diff --git a/docs/images/Upgrade-PolicyAssignmentDelete.png b/docs/images/Upgrade-PolicyAssignmentDelete.png deleted file mode 100644 index d5f5d61..0000000 Binary files a/docs/images/Upgrade-PolicyAssignmentDelete.png and /dev/null differ diff --git a/docs/images/Upgrade-PolicyAssignmentFilter.png b/docs/images/Upgrade-PolicyAssignmentFilter.png deleted file mode 100644 index 713cd0d..0000000 Binary files a/docs/images/Upgrade-PolicyAssignmentFilter.png and /dev/null differ diff --git a/docs/images/Upgrade-PolicyAssignmentScope.png b/docs/images/Upgrade-PolicyAssignmentScope.png deleted file mode 100644 index e0ec41b..0000000 Binary files a/docs/images/Upgrade-PolicyAssignmentScope.png and /dev/null differ diff --git a/docs/images/Upgrade-PolicyAssignmentsBlade.png b/docs/images/Upgrade-PolicyAssignmentsBlade.png deleted file mode 100644 index 86bd94c..0000000 Binary files a/docs/images/Upgrade-PolicyAssignmentsBlade.png and /dev/null differ diff --git a/docs/images/Upgrade-PolicyDefinitionFilter.png b/docs/images/Upgrade-PolicyDefinitionFilter.png deleted file mode 100644 index 465b556..0000000 Binary files a/docs/images/Upgrade-PolicyDefinitionFilter.png and /dev/null differ diff --git a/docs/images/Upgrade-PolicyDefinitionFilterDelete.png b/docs/images/Upgrade-PolicyDefinitionFilterDelete.png deleted file mode 100644 index 3e8ece7..0000000 Binary files a/docs/images/Upgrade-PolicyDefinitionFilterDelete.png and /dev/null differ diff --git a/docs/images/Upgrade-PolicyDefinitionList.png b/docs/images/Upgrade-PolicyDefinitionList.png deleted file mode 100644 index 625f682..0000000 Binary files a/docs/images/Upgrade-PolicyDefinitionList.png and /dev/null differ diff --git a/docs/images/ViewDeploymentStep.png b/docs/images/ViewDeploymentStep.png deleted file mode 100644 index 10d4af3..0000000 Binary files a/docs/images/ViewDeploymentStep.png and /dev/null differ diff --git a/docs/images/ViewErrorFromLog.png b/docs/images/ViewErrorFromLog.png deleted file mode 100644 index 58acc56..0000000 Binary files a/docs/images/ViewErrorFromLog.png and /dev/null differ diff --git a/docs/images/accessmanagementpermissions.png b/docs/images/access-management-permissions.png similarity index 100% rename from docs/images/accessmanagementpermissions.png rename to docs/images/access-management-permissions.png diff --git a/docs/images/access-permissions.png b/docs/images/access-permissions.png deleted file mode 100644 index 28c4c99..0000000 Binary files a/docs/images/access-permissions.png and /dev/null differ diff --git a/docs/images/compliance-dashboard.png b/docs/images/compliance-dashboard.png new file mode 100644 index 0000000..682c700 Binary files /dev/null and b/docs/images/compliance-dashboard.png differ diff --git a/docs/images/custom-policies-folder.png b/docs/images/custom-policies-folder.png deleted file mode 100644 index c49de9f..0000000 Binary files a/docs/images/custom-policies-folder.png and /dev/null differ diff --git a/docs/images/deployerror-vscode.png b/docs/images/deployerror-vscode.png deleted file mode 100644 index c218b78..0000000 Binary files a/docs/images/deployerror-vscode.png and /dev/null differ diff --git a/docs/images/determine-deployment-steps.png b/docs/images/determine-deployment-steps.png new file mode 100644 index 0000000..4bd6960 Binary files /dev/null and b/docs/images/determine-deployment-steps.png differ diff --git a/docs/images/determine-error-message.png b/docs/images/determine-error-message.png new file mode 100644 index 0000000..693c1f3 Binary files /dev/null and b/docs/images/determine-error-message.png differ diff --git a/docs/images/download-github-repo.png b/docs/images/download-github-repo.png new file mode 100644 index 0000000..e7fa7d0 Binary files /dev/null and b/docs/images/download-github-repo.png differ diff --git a/docs/images/downloadzipofrepo.png b/docs/images/downloadzipofrepo.png deleted file mode 100644 index 87abbff..0000000 Binary files a/docs/images/downloadzipofrepo.png and /dev/null differ diff --git a/docs/images/elevate-permissions-error.png b/docs/images/elevate-permissions-error.png new file mode 100644 index 0000000..54b5988 Binary files /dev/null and b/docs/images/elevate-permissions-error.png differ diff --git a/docs/images/empty-custom-policies.png b/docs/images/empty-custom-policies.png deleted file mode 100644 index d9d2310..0000000 Binary files a/docs/images/empty-custom-policies.png and /dev/null differ diff --git a/docs/images/fork-github-repo.png b/docs/images/fork-github-repo.png new file mode 100644 index 0000000..f6b74fb Binary files /dev/null and b/docs/images/fork-github-repo.png differ diff --git a/docs/images/forkgithubrepo.png b/docs/images/forkgithubrepo.png deleted file mode 100644 index 19b31fd..0000000 Binary files a/docs/images/forkgithubrepo.png and /dev/null differ diff --git a/docs/images/github_compliance-dashboard.png b/docs/images/github_compliance-dashboard.png deleted file mode 100644 index bbf38b8..0000000 Binary files a/docs/images/github_compliance-dashboard.png and /dev/null differ diff --git a/docs/images/parBillingAccountID.png b/docs/images/parBillingAccountID.png deleted file mode 100644 index 4754819..0000000 Binary files a/docs/images/parBillingAccountID.png and /dev/null differ diff --git a/docs/images/parEnrollmentID.png b/docs/images/parEnrollmentID.png deleted file mode 100644 index f9aa51e..0000000 Binary files a/docs/images/parEnrollmentID.png and /dev/null differ diff --git a/docs/images/removing-policy-assignments-01-policy-overview-blade.png b/docs/images/removing-policy-assignments-01-policy-overview-blade.png new file mode 100644 index 0000000..220f09b Binary files /dev/null and b/docs/images/removing-policy-assignments-01-policy-overview-blade.png differ diff --git a/docs/images/removing-policy-assignments-02-search-filter.png b/docs/images/removing-policy-assignments-02-search-filter.png new file mode 100644 index 0000000..d62cdec Binary files /dev/null and b/docs/images/removing-policy-assignments-02-search-filter.png differ diff --git a/docs/images/removing-policy-assignments-03-select-ellipsis.png b/docs/images/removing-policy-assignments-03-select-ellipsis.png new file mode 100644 index 0000000..f7b99ef Binary files /dev/null and b/docs/images/removing-policy-assignments-03-select-ellipsis.png differ diff --git a/docs/images/removing-policy-assignments-04-select-delete-assignment.png b/docs/images/removing-policy-assignments-04-select-delete-assignment.png new file mode 100644 index 0000000..1fd50bb Binary files /dev/null and b/docs/images/removing-policy-assignments-04-select-delete-assignment.png differ diff --git a/docs/images/slz-initial-architecture.png b/docs/images/slz-initial-architecture.png new file mode 100644 index 0000000..2f9a71b Binary files /dev/null and b/docs/images/slz-initial-architecture.png differ diff --git a/docs/images/slz-sample-deployment.png b/docs/images/slz-sample-deployment.png new file mode 100644 index 0000000..25e62d3 Binary files /dev/null and b/docs/images/slz-sample-deployment.png differ diff --git a/docs/images/sovereign-scale-architecture.png b/docs/images/sovereign-scale-architecture.png deleted file mode 100644 index e8902f7..0000000 Binary files a/docs/images/sovereign-scale-architecture.png and /dev/null differ diff --git a/docs/scenarios/Custom-Policies.md b/docs/scenarios/Custom-Policies.md index 3f9fd43..ee215e1 100644 --- a/docs/scenarios/Custom-Policies.md +++ b/docs/scenarios/Custom-Policies.md @@ -7,7 +7,7 @@ Once the SLZ Preview is deployed, the management group structure, subscriptions, The SLZ Preview allows for custom policy initiatives to be deployed within the standard management group scopes for each deployment through the following: 1. Navigate to the custom policy definitions located in `/custom/policies/definitions` in your version of the GitHub repository. -2. Each definition corresponds to one of the default management group scopes deployed as part of the SLZ Preview management group hierarchy ![Custom Policy Folder](../images/custom-policies-folder.png) +2. Each definition corresponds to one of the default management group scopes deployed as part of the SLZ Preview management group hierarchy: * `slzConfidentialCustom.json` -> Confidential Corp and Confidential Online Management Groups * `slzConnectivityCustom.json` -> Connectivity Management Group * `slzCorpCustom.json` -> Corp and Confidential Corp Management Groups @@ -21,7 +21,6 @@ The SLZ Preview allows for custom policy initiatives to be deployed within the s * `slzSandboxCustom.json` -> Sandbox Management Group 3. Select the file for management group scope that you want custom policies to apply to and if you want to apply custom policies to all application workloads then select `slzLandingZoneCustom.json` 4. If custom policies have not been added yet, then the custom policy file will look like the screenshot below. Do NOT edit the `policyType`, `id`, `type`, or `name` fields. You will update the `parameters`, `policyDefinitions`, and `policyDefinitionGroups` as described by the [initiative definition structure](https://learn.microsoft.com/azure/governance/policy/concepts/initiative-definition-structure) -![Empty Policy File](../images/empty-custom-policies.png) 5. Grouping policies together on the [SLZ Preview dashboard](./Extending-Compliance-Dashboard.md) is accomplished by adding `dashboard-` to the beginning of the policy definition group name, but any name can be used. The documentation for the [policy set definition group structure](https://learn.microsoft.com/azure/governance/policy/concepts/initiative-definition-structure#policy-definition-groups) describes the group structure further. A valid policy definition group can be found below: ``` { diff --git a/docs/scenarios/Pipeline-Deployments.md b/docs/scenarios/Pipeline-Deployments.md index 1ed0065..66fdb31 100644 --- a/docs/scenarios/Pipeline-Deployments.md +++ b/docs/scenarios/Pipeline-Deployments.md @@ -57,3 +57,20 @@ These deployment steps also have additional required parameters as the SLZ Previ |Dashboard|N/A| |Policy Exemptions|N/A| |Policy Remediations|N/A| + +## Pipeline Templates + +There may be some issues invoking the SLZ deployment scripts from a BASH task. Instead, it is recommended to use the `AzurePowerShell@5` task to invoke the scripts such as through the following example: + +``` +- task: AzurePowerShell@5 + inputs: + azureSubscription: ${{ parameters.SERVICE_CONNECTION }} + azurePowerShellVersion: LatestVersion + ScriptType: inlineScript + Inline: | + cd orchestration\scripts\ + ./New-SovereignLandingZone.ps1 -parAttendedLogin 0 -parDeployment all +``` + +Where the `SERVICE_CONNECTION` parameter is the previously setup service connection to be used during [pipeline execution](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#use-a-service-connection). diff --git a/docs/scenarios/README.md b/docs/scenarios/README.md index 788d40b..396064f 100644 --- a/docs/scenarios/README.md +++ b/docs/scenarios/README.md @@ -11,3 +11,4 @@ The following are common scenarios found during initial deployment or through op 7. [Customizing the compliance dashboard](./Extending-Compliance-Dashboard.md) 8. [Deploying application or platform landing zones](./Landing-Zone-Vending.md) 9. [Adding additional landing zone management groups](./Expanding-SLZ-ManagementGroups.md) +10. [Removing ALZ Policies](./Removing-Policy-Assignments.md) diff --git a/docs/scenarios/Removing-Policy-Assignments.md b/docs/scenarios/Removing-Policy-Assignments.md index 63258e5..5ec95c2 100644 --- a/docs/scenarios/Removing-Policy-Assignments.md +++ b/docs/scenarios/Removing-Policy-Assignments.md @@ -18,15 +18,25 @@ Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azur Update the SLZ Preview parameter file and set `parDeployAlzDefaultPolicies` to `false`. This will prevent the SLZ Preview from deploying the ALZ Policies in the future. -Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview) view and select the top-level management group for the SLZ Preview deployment. +Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview) view and select the top-level management group for the SLZ Preview deployment, and then select the **Policy** blade. This will ensure you have the appropriate scope selected - ![alz-delete-initiative-assignments](../images/alz-update-initiative-with-builtin-04.png) + ![alz-initiative-assignments-overview](../images/removing-policy-assignments-01-policy-overview-blade.png) -- For each assignment, click the ellipsis and select Delete Assignment. -- Once all initiative assignments are deleted, go to the Definitions pane, search for the initiative definition. Once found click the ellipsis and choose Delete Policy Definition. +Navigate to the **Assignments** blade, then for each policy listed below perform the following: - ![alz-custom-initiative-def-search](../images/alz-update-initiative-with-builtin-01.png) -- For implementation details refer to the [ALZ Assignment Deletion](https://github.com/Azure/ALZ-Bicep/blob/da0af7a5a1f21825b497017f52264df2d29aa0a6/docs/wiki/PolicyDeepDive.md) docs, and for design consideration refer to the [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) doc. +1) Search for the assignment name + + ![alz-find-initiative-assignments](../images/removing-policy-assignments-02-search-filter.png) + +2) Select the ellipsis for the assignment + + ![alz-select-initiative-assignments](../images/removing-policy-assignments-03-select-ellipsis.png) + +3) Delete the assignment + + ![alz-delete-initiative-assignments](../images/removing-policy-assignments-04-select-delete-assignment.png) + +For further details refer to the [ALZ Assignment Deletion](https://github.com/Azure/ALZ-Bicep/blob/da0af7a5a1f21825b497017f52264df2d29aa0a6/docs/wiki/PolicyDeepDive.md) docs, and for design consideration refer to the [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) doc. ## ALZ Policy Assignments diff --git a/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json b/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json index 8c9c51e..d8db9d7 100644 --- a/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json +++ b/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json @@ -21,85 +21,60 @@ "type": "array", "defaultValue": [], "allowedValues": [ - "asia", - "asiapacific", - "australia", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", - "brazil", "brazilsouth", "brazilsoutheast", - "canada", + "brazilus", "canadacentral", "canadaeast", "centralindia", "centralus", "centraluseuap", - "centralusstage", "eastasia", - "eastasiastage", "eastus", "eastus2", "eastus2euap", - "eastus2stage", - "eastusstage", "eastusstg", - "europe", - "france", "francecentral", "francesouth", - "germany", "germanynorth", "germanywestcentral", - "global", - "india", - "japan", + "israelcentral", + "italynorth", "japaneast", "japanwest", "jioindiacentral", "jioindiawest", - "korea", "koreacentral", "koreasouth", "northcentralus", - "northcentralusstage", "northeurope", - "norway", "norwayeast", "norwaywest", + "polandcentral", "qatarcentral", - "singapore", - "southafrica", "southafricanorth", "southafricawest", "southcentralus", - "southcentralusstage", "southcentralusstg", "southeastasia", - "southeastasiastage", "southindia", "swedencentral", - "switzerland", "switzerlandnorth", "switzerlandwest", - "uae", "uaecentral", "uaenorth", - "uk", "uksouth", "ukwest", - "unitedstates", - "unitedstateseuap", "westcentralus", "westeurope", "westindia", "westus", "westus2", - "westus2stage", - "westus3", - "westusstage" + "westus3" ], "metadata": { "displayName": "Allowed locations", diff --git a/modules/compliance/policySetDefinitions/slzGlobalDefaults.json b/modules/compliance/policySetDefinitions/slzGlobalDefaults.json index 302537f..627d41e 100644 --- a/modules/compliance/policySetDefinitions/slzGlobalDefaults.json +++ b/modules/compliance/policySetDefinitions/slzGlobalDefaults.json @@ -12,85 +12,60 @@ "type": "array", "defaultValue": [], "allowedValues": [ - "asia", - "asiapacific", - "australia", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", - "brazil", "brazilsouth", "brazilsoutheast", - "canada", + "brazilus", "canadacentral", "canadaeast", "centralindia", "centralus", "centraluseuap", - "centralusstage", "eastasia", - "eastasiastage", "eastus", "eastus2", "eastus2euap", - "eastus2stage", - "eastusstage", "eastusstg", - "europe", - "france", "francecentral", "francesouth", - "germany", "germanynorth", "germanywestcentral", - "global", - "india", - "japan", + "israelcentral", + "italynorth", "japaneast", "japanwest", "jioindiacentral", "jioindiawest", - "korea", "koreacentral", "koreasouth", "northcentralus", - "northcentralusstage", "northeurope", - "norway", "norwayeast", "norwaywest", + "polandcentral", "qatarcentral", - "singapore", - "southafrica", "southafricanorth", "southafricawest", "southcentralus", - "southcentralusstage", "southcentralusstg", "southeastasia", - "southeastasiastage", "southindia", "swedencentral", - "switzerland", "switzerlandnorth", "switzerlandwest", - "uae", "uaecentral", "uaenorth", - "uk", "uksouth", "ukwest", - "unitedstates", - "unitedstateseuap", "westcentralus", "westeurope", "westindia", "westus", "westus2", - "westus2stage", - "westus3", - "westusstage" + "westus3" ], "metadata": { "displayName": "Allowed locations", @@ -115,9 +90,7 @@ "value": "[[parameters('listOfAllowedLocations')]" } }, - "groupNames": [ - "dashboard-Data Residency" - ] + "groupNames": ["dashboard-Data Residency"] }, { "policyDefinitionReferenceId": "AllowedLocations", @@ -127,9 +100,7 @@ "value": "[[parameters('listOfAllowedLocations')]" } }, - "groupNames": [ - "dashboard-Data Residency" - ] + "groupNames": ["dashboard-Data Residency"] }, { "policyDefinitionReferenceId": "Azure Cosmos DB allowed locations_1", @@ -139,9 +110,7 @@ "value": "[[parameters('listOfAllowedLocations')]" } }, - "groupNames": [ - "dashboard-Data Residency" - ] + "groupNames": ["dashboard-Data Residency"] } ] }, diff --git a/modules/util/deployment-script.bicep b/modules/util/deployment-script.bicep index 40696bf..3f5ca0a 100644 --- a/modules/util/deployment-script.bicep +++ b/modules/util/deployment-script.bicep @@ -31,7 +31,8 @@ param parTimeout string = 'PT1H' @description('Script retention in ISO 8601 format. Default is 1 hour.') param parRetentionInterval string = 'PT1H' -resource resDs 'Microsoft.Resources/deploymentScripts@2020-10-01' = { +#disable-next-line BCP081 +resource resDs 'Microsoft.Resources/deploymentScripts@2023-08-01' = { name: parDeploymentScriptName location: parLocation kind: 'AzureCLI' diff --git a/orchestration/dashboard/dashboard.bicep b/orchestration/dashboard/dashboard.bicep index 357aefe..30ae565 100644 --- a/orchestration/dashboard/dashboard.bicep +++ b/orchestration/dashboard/dashboard.bicep @@ -17,85 +17,60 @@ param parDeploymentSuffix string = '' @description('Deployment location') @allowed([ - 'asia' - 'asiapacific' - 'australia' 'australiacentral' 'australiacentral2' 'australiaeast' 'australiasoutheast' - 'brazil' 'brazilsouth' 'brazilsoutheast' - 'canada' + 'brazilus' 'canadacentral' 'canadaeast' 'centralindia' 'centralus' 'centraluseuap' - 'centralusstage' 'eastasia' - 'eastasiastage' 'eastus' 'eastus2' 'eastus2euap' - 'eastus2stage' - 'eastusstage' 'eastusstg' - 'europe' - 'france' 'francecentral' 'francesouth' - 'germany' 'germanynorth' 'germanywestcentral' - 'global' - 'india' - 'japan' + 'israelcentral' + 'italynorth' 'japaneast' 'japanwest' 'jioindiacentral' 'jioindiawest' - 'korea' 'koreacentral' 'koreasouth' 'northcentralus' - 'northcentralusstage' 'northeurope' - 'norway' 'norwayeast' 'norwaywest' + 'polandcentral' 'qatarcentral' - 'singapore' - 'southafrica' 'southafricanorth' 'southafricawest' 'southcentralus' - 'southcentralusstage' 'southcentralusstg' 'southeastasia' - 'southeastasiastage' 'southindia' 'swedencentral' - 'switzerland' 'switzerlandnorth' 'switzerlandwest' - 'uae' 'uaecentral' 'uaenorth' - 'uk' 'uksouth' 'ukwest' - 'unitedstates' - 'unitedstateseuap' 'westcentralus' 'westeurope' 'westindia' 'westus' 'westus2' - 'westus2stage' 'westus3' - 'westusstage' ]) param parDeploymentLocation string diff --git a/orchestration/policyInstallation/policyInstallation.bicep b/orchestration/policyInstallation/policyInstallation.bicep index 003ddfb..8bdb1c5 100644 --- a/orchestration/policyInstallation/policyInstallation.bicep +++ b/orchestration/policyInstallation/policyInstallation.bicep @@ -17,85 +17,60 @@ param parDeploymentSuffix string = '' @description('Deployment location') @allowed([ - 'asia' - 'asiapacific' - 'australia' 'australiacentral' 'australiacentral2' 'australiaeast' 'australiasoutheast' - 'brazil' 'brazilsouth' 'brazilsoutheast' - 'canada' + 'brazilus' 'canadacentral' 'canadaeast' 'centralindia' 'centralus' 'centraluseuap' - 'centralusstage' 'eastasia' - 'eastasiastage' 'eastus' 'eastus2' 'eastus2euap' - 'eastus2stage' - 'eastusstage' 'eastusstg' - 'europe' - 'france' 'francecentral' 'francesouth' - 'germany' 'germanynorth' 'germanywestcentral' - 'global' - 'india' - 'japan' + 'israelcentral' + 'italynorth' 'japaneast' 'japanwest' 'jioindiacentral' 'jioindiawest' - 'korea' 'koreacentral' 'koreasouth' 'northcentralus' - 'northcentralusstage' 'northeurope' - 'norway' 'norwayeast' 'norwaywest' + 'polandcentral' 'qatarcentral' - 'singapore' - 'southafrica' 'southafricanorth' 'southafricawest' 'southcentralus' - 'southcentralusstage' 'southcentralusstg' 'southeastasia' - 'southeastasiastage' 'southindia' 'swedencentral' - 'switzerland' 'switzerlandnorth' 'switzerlandwest' - 'uae' 'uaecentral' 'uaenorth' - 'uk' 'uksouth' 'ukwest' - 'unitedstates' - 'unitedstateseuap' 'westcentralus' 'westeurope' 'westindia' 'westus' 'westus2' - 'westus2stage' 'westus3' - 'westusstage' ]) param parDeploymentLocation string @@ -108,7 +83,7 @@ param parTimestamp string = utcNow() var varManagementGroupId = '${parDeploymentPrefix}${parDeploymentSuffix}' // Module - create alz default Policy Definitions -module modAlzDefaultPolicyDefinitions '../../dependencies/infra-as-code/bicep/modules/policy/definitions/slz-defaultandCustomPolicyDefinitions.bicep' = if (parDeployAlzDefaultPolicies) { +module modAlzDefaultPolicyDefinitions '../../dependencies/infra-as-code/bicep/modules/policy/definitions/slz-defaultandCustomPolicyDefinitions.bicep' = { scope: managementGroup(varManagementGroupId) name: take('${parDeploymentPrefix}-polDefs-${parDeploymentLocation}-${parTimestamp}${parDeploymentSuffix}', 64) } diff --git a/orchestration/scripts/New-Compliance.ps1 b/orchestration/scripts/New-Compliance.ps1 index 8c39e9c..8673f7b 100644 --- a/orchestration/scripts/New-Compliance.ps1 +++ b/orchestration/scripts/New-Compliance.ps1 @@ -473,7 +473,7 @@ function Invoke-PolicyEvaluation { $varJob | Wait-Job } else { - Start-AzPolicyComplianceScan + Start-AzPolicyComplianceScan -AsJob } } Write-Information "Policy scan completed." -InformationAction Continue diff --git a/orchestration/scripts/New-PolicyRemediation.ps1 b/orchestration/scripts/New-PolicyRemediation.ps1 index 949b933..b455bcd 100644 --- a/orchestration/scripts/New-PolicyRemediation.ps1 +++ b/orchestration/scripts/New-PolicyRemediation.ps1 @@ -103,7 +103,7 @@ function New-Remediation { Write-Error "`n Error while executing policy remediation deployment" -ErrorAction Stop } - Write-Information ">>> Policy remediation $parRemediationName completed." -InformationAction Continue + Write-Information ">>> Policy remediation $($parParams.parPolicyRemediationName) completed." -InformationAction Continue return } else { @@ -113,16 +113,10 @@ function New-Remediation { -TemplateFile $varPolicyRemediationBicepFilePath ` -ManagementGroupId $varManagementGroupId ` -TemplateParameterObject $parParams ` - -WarningAction Ignore - - if ($modDeployPolicyRemediation) { - Write-Error "`n>>> Error occured in policy remediation" -ErrorAction Stop - } - if ($modDeployPolicyRemediation.ProvisioningState -eq "Failed") { - Write-Error "`n Error while executing policy remediation deployment" -ErrorAction Stop - } + -WarningAction Ignore ` + -AsJob - Write-Information ">>> Policy remediation $parRemediationName scheduled." -InformationAction Continue + Write-Information ">>> Policy remediation $($parParams.parPolicyRemediationName) scheduled." -InformationAction Continue return } } diff --git a/orchestration/scripts/parameters/sovereignLandingZone.parameters.json b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json index 1324ea3..42c04e4 100644 --- a/orchestration/scripts/parameters/sovereignLandingZone.parameters.json +++ b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json @@ -60,30 +60,46 @@ "australiaeast", "australiasoutheast", "brazilsouth", + "brazilsoutheast", + "brazilus", "canadacentral", "canadaeast", "centralindia", "centralus", + "centraluseuap", "eastasia", "eastus", "eastus2", + "eastus2euap", + "eastusstg", "francecentral", + "francesouth", + "germanynorth", "germanywestcentral", + "israelcentral", + "italynorth", "japaneast", "japanwest", + "jioindiacentral", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope", "norwayeast", + "norwaywest", + "polandcentral", "qatarcentral", "southafricanorth", + "southafricawest", "southcentralus", + "southcentralusstg", "southeastasia", "southindia", "swedencentral", "switzerlandnorth", + "switzerlandwest", + "uaecentral", "uaenorth", "uksouth", "ukwest", @@ -107,30 +123,46 @@ "australiaeast", "australiasoutheast", "brazilsouth", + "brazilsoutheast", + "brazilus", "canadacentral", "canadaeast", "centralindia", "centralus", + "centraluseuap", "eastasia", "eastus", "eastus2", + "eastus2euap", + "eastusstg", "francecentral", + "francesouth", + "germanynorth", "germanywestcentral", + "israelcentral", + "italynorth", "japaneast", "japanwest", + "jioindiacentral", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope", "norwayeast", + "norwaywest", + "polandcentral", "qatarcentral", "southafricanorth", + "southafricawest", "southcentralus", + "southcentralusstg", "southeastasia", "southindia", "swedencentral", "switzerlandnorth", + "switzerlandwest", + "uaecentral", "uaenorth", "uksouth", "ukwest", @@ -154,30 +186,46 @@ "australiaeast", "australiasoutheast", "brazilsouth", + "brazilsoutheast", + "brazilus", "canadacentral", "canadaeast", "centralindia", "centralus", + "centraluseuap", "eastasia", "eastus", "eastus2", + "eastus2euap", + "eastusstg", "francecentral", + "francesouth", + "germanynorth", "germanywestcentral", + "israelcentral", + "italynorth", "japaneast", "japanwest", + "jioindiacentral", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope", "norwayeast", + "norwaywest", + "polandcentral", "qatarcentral", "southafricanorth", + "southafricawest", "southcentralus", + "southcentralusstg", "southeastasia", "southindia", "swedencentral", "switzerlandnorth", + "switzerlandwest", + "uaecentral", "uaenorth", "uksouth", "ukwest", diff --git a/orchestration/sovereignPlatform/sovereignPlatform.bicep b/orchestration/sovereignPlatform/sovereignPlatform.bicep index 5721fd0..83c6255 100644 --- a/orchestration/sovereignPlatform/sovereignPlatform.bicep +++ b/orchestration/sovereignPlatform/sovereignPlatform.bicep @@ -22,85 +22,60 @@ param parDeploymentSuffix string = '' @description('Deployment location') @allowed([ - 'asia' - 'asiapacific' - 'australia' 'australiacentral' 'australiacentral2' 'australiaeast' 'australiasoutheast' - 'brazil' 'brazilsouth' 'brazilsoutheast' - 'canada' + 'brazilus' 'canadacentral' 'canadaeast' 'centralindia' 'centralus' 'centraluseuap' - 'centralusstage' 'eastasia' - 'eastasiastage' 'eastus' 'eastus2' 'eastus2euap' - 'eastus2stage' - 'eastusstage' 'eastusstg' - 'europe' - 'france' 'francecentral' 'francesouth' - 'germany' 'germanynorth' 'germanywestcentral' - 'global' - 'india' - 'japan' + 'israelcentral' + 'italynorth' 'japaneast' 'japanwest' 'jioindiacentral' 'jioindiawest' - 'korea' 'koreacentral' 'koreasouth' 'northcentralus' - 'northcentralusstage' 'northeurope' - 'norway' 'norwayeast' 'norwaywest' + 'polandcentral' 'qatarcentral' - 'singapore' - 'southafrica' 'southafricanorth' 'southafricawest' 'southcentralus' - 'southcentralusstage' 'southcentralusstg' 'southeastasia' - 'southeastasiastage' 'southindia' 'swedencentral' - 'switzerland' 'switzerlandnorth' 'switzerlandwest' - 'uae' 'uaecentral' 'uaenorth' - 'uk' 'uksouth' 'ukwest' - 'unitedstates' - 'unitedstateseuap' 'westcentralus' 'westeurope' 'westindia' 'westus' 'westus2' - 'westus2stage' 'westus3' - 'westusstage' ]) param parDeploymentLocation string @@ -447,8 +422,8 @@ module modHubNetworking '../../dependencies/infra-as-code/bicep/modules/hubNetwo output outConnectivitySubscriptionId string = parConnectivitySubscriptionId output outDeploymentLocation string = parDeploymentLocation output outDeploymentPrefix string = parDeploymentPrefix -output outDdosProtectionResourceId string = parDeployHubNetwork ? modHubNetworking.outputs.outDdosPlanResourceId : '' -output outLogAnalyticsWorkspaceId string = modLogging.outputs.outLogAnalyticsWorkspaceId -output outAutomationAccountName string = modLogging.outputs.outAutomationAccountName +output outDdosProtectionResourceId string = parDeployHubNetwork && parDeployDdosProtection ? modHubNetworking.outputs.outDdosPlanResourceId : '' +output outLogAnalyticsWorkspaceId string = parDeployLogAnalyticsWorkspace ? modLogging.outputs.outLogAnalyticsWorkspaceId : '' +output outAutomationAccountName string = parDeployLogAnalyticsWorkspace ? modLogging.outputs.outAutomationAccountName : '' output outPrivateDNSZones array = parDeployHubNetwork ? modHubNetworking.outputs.outPrivateDnsZones : [] output outHubVirtualNetworkId string = parDeployHubNetwork ? modHubNetworking.outputs.outHubVirtualNetworkId : ''